[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fu3XgiWmtw4CrKMiHuxxWUIh70zLAefAGffx1GBObkBc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8610","typesquare-webfonts-for-conoha-missing-authorization-to-authenticated-subscriber-plugin-settings-modification-via-fontth","TypeSquare Webfonts for ConoHa \u003C= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter","The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery.","ts-webfonts-for-conoha",null,"\u003C=2.0.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-19 12:13:19","2026-05-20 01:25:50",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F88002a25-6890-4f8b-8a11-239b59d56672?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-8610\n\n## 1. Vulnerability Summary\nThe **TypeSquare Webfonts for ConoHa** plugin (versions \u003C= 2.0.4) contains a missing authorization vulnerability that allows authenticated users with Subscriber-level permissions or higher to modify site-wide plugin settings. The vulnerability exists because the plugin's settings update logic, likely hooked to `admin_init`, fails to verify the user's capabilities (e.g., `manage_options`) before updating options in the database. Additionally, certain logic branches (where `fontThemeUseType` is 1 or 3) skip nonce verification entirely, making the plugin also vulnerable to Cross-Site Request Forgery (CSRF).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any page within the WordPress administrative interface (e.g., `\u002Fwp-admin\u002Findex.php`, `\u002Fwp-admin\u002Fadmin-post.php`).\n*   **Action Hook:** `admin_init` (inferred from the \"any wp-admin page\" description).\n*   **Vulnerable Parameters:** `fontThemeUseType`, `show_post_form`, `typesquare_fonttheme`.\n*   **Authentication:** Authenticated (Subscriber or above).\n*   **Preconditions:** The plugin must be active. No specific plugin configuration is required to trigger the vulnerability.\n\n## 3. Code Flow (Inferred)\n1.  An authenticated user (e.g., Subscriber) sends a `POST` request to `\u002Fwp-admin\u002Findex.php`.\n2.  WordPress initializes the admin environment, triggering the `admin_init` hook.\n3.  The plugin's handler (e.g., `TypeSquare_Webfonts_Admin::save_settings` or similar) executes.\n4.  The handler checks for the presence of the `fontThemeUseType` parameter in `$_POST`.\n5.  **Authorization Failure:** The handler does not call `current_user_can( 'manage_options' )`.\n6.  **Nonce Bypass:** If `$_POST['fontThemeUseType']` is set to `1` or `3`, the code branches away from or skips the `check_admin_referer()` call.\n7.  The plugin proceeds to call `update_option()` for:\n    *   `typesquare_auth` (using the value from `fontThemeUseType`)\n    *   `show_post_form`\n    *   `typesquare_fonttheme`\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description:\n*   For `fontThemeUseType` values **1** and **3**, no nonce verification is performed.\n*   **Strategy:** We will use `fontThemeUseType=1` or `fontThemeUseType=3` in our exploit to bypass the need for a nonce entirely. This confirms both the Authorization Bypass and the CSRF component.\n\nIf a nonce were required for other values, the strategy would be:\n1.  Navigate to the plugin settings page: `\u002Fwp-admin\u002Foptions-general.php?page=ts-webfonts-for-conoha` (inferred slug).\n2.  Use `browser_eval` to extract the nonce from the form: `browser_eval(\"document.querySelector('input[name=\\\"_wpnonce\\\"]')?.value\")`.\n\n## 5. Exploitation Strategy\nWe will perform a `POST` request as a Subscriber user to modify the plugin's settings.\n\n### Request Details\n*   **Method:** `POST`\n*   **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Findex.php`\n*   **Headers:**\n    *   `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   `Cookie: [Subscriber Session Cookies]`\n*   **Body Parameters:**\n    *   `fontThemeUseType`: `1` (Triggers the nonce-less branch and sets `typesquare_auth`)\n    *   `show_post_form`: `1`\n    *   `typesquare_fonttheme`: `vulnerable_theme_modified`\n\n### Steps\n1.  Log in as a Subscriber user via the `browser_navigate` and `browser_type` tools.\n2.  Capture the session cookies.\n3.  Use `http_request` to send the malicious `POST` payload.\n4.  Verify the change using WP-CLI.\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure `ts-webfonts-for-conoha` version 2.0.4 is installed and active.\n2.  **Create User:** \n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Check Initial State:**\n    ```bash\n    wp option get typesquare_auth\n    wp option get show_post_form\n    wp option get typesquare_fonttheme\n    ```\n\n## 7. Expected Results\n*   The `http_request` should return a `200 OK` or `302 Redirect`.\n*   The WordPress database options `typesquare_auth`, `show_post_form`, and `typesquare_fonttheme` will be updated to the values provided in the `POST` request.\n\n## 8. Verification Steps\nAfter the exploit attempt, run the following WP-CLI commands:\n1.  Verify `typesquare_auth`:\n    ```bash\n    wp option get typesquare_auth\n    # Expected: 1\n    ```\n2.  Verify `show_post_form`:\n    ```bash\n    wp option get show_post_form\n    # Expected: 1\n    ```\n3.  Verify `typesquare_fonttheme`:\n    ```bash\n    wp option get typesquare_fonttheme\n    # Expected: vulnerable_theme_modified\n    ```\n\n## 9. Alternative Approaches\nIf sending the request to `\u002Fwp-admin\u002Findex.php` does not trigger the `admin_init` logic (e.g., if the plugin checks for a specific page slug), target the settings page directly:\n*   **URL:** `{{BASE_URL}}\u002Fwp-admin\u002Foptions-general.php?page=ts-webfonts-for-conoha`\n\nIf `fontThemeUseType=1` fails to trigger the settings update, try `fontThemeUseType=3`. Both are identified as skipping nonce checks.\n\nIf the settings are only updated if a specific \"submit\" parameter is present (common in WordPress plugins), add an inferred submit parameter:\n*   `submit=Save+Changes` or `typesquare_submit=1`.","The TypeSquare Webfonts for ConoHa plugin fails to perform authorization checks and, in specific cases, nonce validation when saving settings via admin hooks. This allows authenticated subscribers to modify site-wide configurations, including authentication settings and font themes, either directly or via Cross-Site Request Forgery (CSRF).","\u002F\u002F Inferred from plugin logic described in research plan\n\u002F\u002F ts-webfonts-for-conoha.php (or admin handler)\n\npublic function save_settings() {\n    if (isset($_POST['fontThemeUseType'])) {\n        $use_type = $_POST['fontThemeUseType'];\n\n        \u002F\u002F Vulnerability 1: Missing current_user_can('manage_options') check\n        \n        \u002F\u002F Vulnerability 2: Conditional nonce bypass for values 1 and 3\n        if ($use_type != '1' && $use_type != '3') {\n            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'typesquare_settings')) {\n                return;\n            }\n        }\n\n        update_option('typesquare_auth', $use_type);\n\n        if (isset($_POST['show_post_form'])) {\n            update_option('show_post_form', sanitize_text_field($_POST['show_post_form']));\n        }\n\n        if (isset($_POST['typesquare_fonttheme'])) {\n            update_option('typesquare_fonttheme', sanitize_text_field($_POST['typesquare_fonttheme']));\n        }\n    }\n}","--- a\u002Fts-webfonts-for-conoha\u002Fadmin\u002Fclass-typesquare-webfonts-admin.php\n+++ b\u002Fts-webfonts-for-conoha\u002Fadmin\u002Fclass-typesquare-webfonts-admin.php\n@@ -10,10 +10,10 @@\n public function save_settings() {\n-    if (isset($_POST['fontThemeUseType'])) {\n-        $use_type = $_POST['fontThemeUseType'];\n-        if ($use_type != '1' && $use_type != '3') {\n-            if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'typesquare_settings')) {\n-                return;\n-            }\n-        }\n+    if (isset($_POST['fontThemeUseType'])) {\n+        if (!current_user_can('manage_options')) {\n+            wp_die(__('You do not have sufficient permissions to access this page.'));\n+        }\n+        check_admin_referer('typesquare_settings_action', 'typesquare_nonce');\n+        \n+        $use_type = sanitize_text_field($_POST['fontThemeUseType']);\n         update_option('typesquare_auth', $use_type);","The exploit targets the settings modification logic triggered on `admin_init`. An attacker requires Subscriber-level credentials or must trick an administrator into visiting a malicious page (CSRF). To exploit the vulnerability, the attacker submits a POST request to any administrative endpoint (like \u002Fwp-admin\u002Findex.php). The payload must include the `fontThemeUseType` parameter set to either '1' or '3', which bypasses the plugin's internal nonce verification. Along with this, the attacker can include the `show_post_form` and `typesquare_fonttheme` parameters to overwrite the plugin's configuration in the `wp_options` table. Because there is no check for the user's capability to manage options, the server processes the update for any authenticated user session.","gemini-3-flash-preview","2026-05-20 16:46:13","2026-05-20 16:46:33",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fts-webfonts-for-conoha\u002Ftags"]