CVE-2026-1086 in Font Pairing Preview for Landing Pages Plugin
Summary
by MITRE • 03/07/2026
The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's font pairing settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The Font Pairing Preview For Landing Pages plugin for WordPress represents a critical security vulnerability that affects all versions up to and including 1.3. This vulnerability manifests as a cross-site request forgery flaw that compromises the integrity of the plugin's configuration settings. The vulnerability arises from the absence of proper nonce validation mechanisms within the plugin's settings update functionality, creating a significant attack surface that can be exploited by malicious actors without authentication requirements. The flaw fundamentally undermines the security model of the WordPress plugin ecosystem by allowing unauthorized modifications to core configuration parameters that control font pairing behaviors for landing pages.
The technical implementation of this vulnerability stems from the plugin's failure to validate cryptographic nonces during the settings update process. In WordPress security architecture, nonces serve as time-limited tokens that verify the authenticity of administrative actions and prevent unauthorized modifications to plugin configurations. Without these validation checks, any attacker capable of constructing a malicious request can manipulate the plugin's font pairing settings. This represents a direct violation of the principle of least privilege and demonstrates a fundamental flaw in the plugin's input validation and authentication mechanisms. The vulnerability operates at the application layer and can be exploited through various attack vectors including social engineering techniques that trick administrators into executing malicious requests.
The operational impact of this vulnerability extends beyond simple configuration changes to potentially compromise the visual integrity and user experience of WordPress sites utilizing the affected plugin. When an administrator is tricked into clicking a malicious link, the attacker can modify font pairing preferences that may affect how landing pages render, potentially leading to degraded user experience or even accessibility issues. The vulnerability creates a persistent threat vector that remains active until the plugin is updated or the nonce validation is properly implemented. This type of vulnerability is particularly dangerous in enterprise environments where administrators may be targeted through spear-phishing campaigns or other social engineering tactics, making the attack surface significantly larger than initially apparent.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security improvements within the plugin architecture. The most critical step involves implementing proper nonce validation mechanisms that verify the authenticity of all administrative requests before processing any configuration changes. Security practitioners should also consider implementing additional layers of protection such as rate limiting for configuration updates and enhanced logging of administrative activities. This vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery flaws in web applications, and demonstrates characteristics consistent with ATT&CK technique T1213.002 related to data from information repositories. Organizations should immediately update to patched versions of the plugin and conduct security reviews of other plugins that may exhibit similar validation deficiencies to prevent cascading security issues within their WordPress installations.