What the vulnerability does
01Description
The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery.
Explanation of Vulnerability in Simple Terms
02Summary
TypeSquare Webfonts for ConoHa versions 2.0.4 and earlier lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with low-level account privileges can alter content without restriction. The vulnerability affects the integrity of site data but does not expose sensitive information or cause service disruption.
What an attacker can do
03Attacker Capabilities
Modify site data or content without proper permission checks.
Potential impact on your site
04Site Impact
Unauthorized users with basic accounts can alter site content or settings they should not control.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated
