1.3.1
CVE-2026-1086 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Font Pairing Preview For Landing Pages plugin for WordPress. This flaw allows unauthenticated attackers to modify the plugin's font pairing settings by tricking a site administrator into performing a malicious action. The vulnerability impacts versions 1.0.0 through 1.3, and a fix is available in a subsequent release.
Successful exploitation of this CSRF vulnerability allows an attacker to silently alter the plugin's configuration without requiring authentication. This could lead to unexpected changes in the website's appearance or functionality, potentially impacting user experience and branding. An attacker could craft a malicious link or embed a hidden form on a compromised website to trigger the forged request when a site administrator visits the page. While the direct impact might seem limited to font pairings, it demonstrates a fundamental security weakness that could be leveraged for further attacks if the plugin has other vulnerabilities.
This vulnerability was publicly disclosed on 2026-03-07. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low CVSS score suggests a moderate exploitation probability, but the ease of triggering a CSRF attack should be considered.
WordPress websites utilizing the Font Pairing Preview For Landing Pages plugin, particularly those with site administrators who frequently click on links from untrusted sources, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable if one site is compromised.
• wordpress / composer / npm:
grep -r 'settings_update' /var/www/html/wp-content/plugins/font-pairing-preview-for-landing-pages/• generic web:
curl -I https://example.com/wp-admin/admin-post.php?action=font_pairing_preview_settings_update&setting1=value1&setting2=value2 # Check for missing noncedisclosure
漏洞利用状态
EPSS
0.01% (2% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation is to upgrade to a patched version of the Font Pairing Preview For Landing Pages plugin as soon as it becomes available. Until an upgrade is possible, implement a temporary workaround by adding nonce validation to the settings update functionality. This will prevent forged requests from being processed. Additionally, restrict access to the plugin's settings page to authorized administrators only. Regularly review plugin settings for any unauthorized modifications. After upgrade, confirm by verifying the settings page requires authentication and nonce validation.
没有已知的补丁可用。请深入审查漏洞的详细信息,并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-1086 is a Cross-Site Request Forgery (CSRF) vulnerability in the Font Pairing Preview For Landing Pages WordPress plugin, allowing attackers to modify settings without authentication.
If you are using Font Pairing Preview For Landing Pages plugin versions 1.0.0 through 1.3, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of the plugin. If upgrading is not immediately possible, implement nonce validation in the settings update functionality as a temporary workaround.
There are currently no confirmed reports of active exploitation, but the ease of CSRF attacks warrants caution.
Refer to the plugin developer's website or the WordPress plugin repository for updates and advisories related to CVE-2026-1086.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。