PatchSiren cyber security CVE debrief
CVE-2026-8610 conoha CVE debrief
The TypeSquare Webfonts for ConoHa plugin for WordPress contains an authorization bypass vulnerability affecting all versions up to and including 2.0.4. The plugin fails to verify user authorization before allowing modifications to site-wide font settings. Authenticated attackers with subscriber-level access or higher can modify the plugin's configuration, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme settings, by submitting a POST request to any wp-admin page. Additionally, for fontThemeUseType values 1 and 3, no nonce verification is performed, making those code paths vulnerable to cross-site request forgery attacks. The vulnerability was disclosed on May 20, 2026, with a CVSS 3.1 score of 4.3 (Medium severity). The underlying weakness is categorized as CWE-862: Missing Authorization.
- Vendor
- conoha
- Product
- TypeSquare Webfonts for ConoHa
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using the TypeSquare Webfonts for ConoHa plugin; security teams managing WordPress installations with multi-user environments where subscriber or contributor accounts exist; hosting providers offering ConoHa-related WordPress services
Technical summary
The vulnerability exists in the TypeSquare Webfonts for ConoHa WordPress plugin (≤2.0.4) due to missing authorization checks in the plugin's administrative functionality. The plugin processes POST requests to modify site-wide font settings without verifying that the requesting user has appropriate administrative capabilities. The affected options include typesquare_auth (specifically fontThemeUseType), show_post_form, and typesquare_fonttheme. For fontThemeUseType values 1 and 3, the code path additionally lacks nonce verification, enabling CSRF exploitation. The attack vector requires authenticated access at subscriber level or above, with network access to the WordPress admin interface. The vulnerability is exploitable via POST requests to any wp-admin page, indicating the plugin's request handler may be hooked broadly across the admin interface without proper capability checks.
Defensive priority
medium
Recommended defensive actions
- Update the TypeSquare Webfonts for ConoHa WordPress plugin to a version newer than 2.0.4 when available
- Implement additional access controls at the web server or WAF layer to restrict unauthorized POST requests to wp-admin endpoints for this plugin
- Review and audit plugin settings for unauthorized modifications if running affected versions
- Consider temporarily disabling the plugin if updates are not immediately available and the functionality is not critical
- Monitor for anomalous POST requests to wp-admin pages from low-privileged user accounts
Evidence notes
Vulnerability confirmed via Wordfence security advisory and WordPress plugin source code review. Multiple source code references identify the affected files and line numbers where authorization checks are absent.
Official resources
2026-05-20