Plataforma
wordpress
Componente
wp-font-pairing-preview
Corregido en
1.3.1
CVE-2026-1086 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Font Pairing Preview For Landing Pages plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's font pairing settings by tricking a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.3, and a fix is available in a subsequent release.
Successful exploitation of this CSRF vulnerability allows an attacker to silently alter the plugin's configuration without requiring authentication. This could lead to unexpected changes in the website's appearance or functionality, potentially impacting user experience and branding. An attacker could craft a malicious link or embed a hidden form on a compromised website to trigger the forged request when a site administrator visits the page. While the direct impact might seem limited to font pairings, it demonstrates a fundamental security weakness that could be leveraged for further attacks if the plugin has other vulnerabilities.
This vulnerability was publicly disclosed on 2026-03-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a moderate exploitation probability, but the ease of triggering a CSRF attack should be considered.
WordPress websites utilizing the Font Pairing Preview For Landing Pages plugin, particularly those with site administrators who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/font-pairing-preview-for-landing-pages/• generic web:
curl -I https://example.com/wp-admin/admin-post.php?action=font_pairing_preview_settings_update&setting1=value1&setting2=value2 # Check for missing noncedisclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade to a patched version of the Font Pairing Preview For Landing Pages plugin as soon as it becomes available. Until an upgrade is possible, implement a temporary workaround by adding nonce validation to the settings update functionality. This will prevent forged requests from being processed. Additionally, restrict access to the plugin's settings page to authorized administrators only. Regularly review plugin settings for any unauthorized modifications. After upgrade, confirm by verifying the settings page requires authentication and nonce validation.
No hay parche conocido disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1086 is a Cross-Site Request Forgery (CSRF) vulnerability in the Font Pairing Preview For Landing Pages WordPress plugin, allowing attackers to modify settings without authentication.
If you are using Font Pairing Preview For Landing Pages plugin versions 1.0.0 through 1.3, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of the plugin. If upgrading is not immediately possible, implement nonce validation in the settings update functionality as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the ease of CSRF attacks warrants caution.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories related to CVE-2026-1086.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.