What the vulnerability does
01Description
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_assign_fonts_tab() function. This makes it possible for unauthenticated attackers to delete font assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
The CITS Support plugin for WordPress contains a cross-site request forgery (CSRF) vulnerability in its file upload functionality. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unauthorized actions such as uploading files without the admin's knowledge or consent. The vulnerability affects versions 4.2 and earlier.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into uploading files or changing settings without their knowledge.
Potential impact on your site
04Site Impact
Unauthorized file uploads or configuration changes if an admin visits a malicious link while logged in.
Conditions required to exploit
05Prerequisites
Admin must visit attacker's webpage while logged into WordPress; no special privileges required.
Key dates
06Disclosure timeline
March 22, 2025
CVE published
April 8, 2026
Record updated