CVE-2026-8610

Name of the Vulnerable Software and Affected Versions TypeSquare Webfonts for ConoHa versions prior to 2.0.5

Description The plugin fails to properly verify if a user is authorized to perform specific actions, leading to an authorization bypass. Authenticated attackers with subscriber-level access or higher can modify site-wide font settings by submitting a POST request to any 'wp-admin' page. The affected settings include the typesquare auth option (fontThemeUseType), show post form, and typesquare fonttheme. Additionally, when fontThemeUseType is set to 1 or 3, the lack of nonce verification—a unique token used to prevent duplicate or forged requests—makes these branches susceptible to cross-site request forgery.

Recommendations Update to a version later than 2.0.4.