Description
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-03-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthorized modification of plugin settings
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CWE‑352) in the CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts WordPress plugin. It arises from missing or incorrect nonce validation in the cits_settings_tab() function. As a result, an unauthenticated attacker who forges a request can cause the browser of a logged‑in site administrator to modify the plugin’s configuration settings. The changes affect how media files and custom fonts are handled by the plugin, but the vulnerability does not expose confidential data or grant direct code execution.

Affected Systems

All releases of the CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin up to and including version 4.2 are vulnerable on any WordPress installation. Sites that rely on this plugin for media management and custom font handling must be assessed for the presence of these versions.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. An EPSS score of less than 1% suggests a low probability of exploitation at present, and the flaw is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to trick a site administrator into following a malicious link or form submission, which is a social engineering vector. While the attack is limited to changing plugin settings, the change can affect site appearance and media handling, which could be undesirable for high‑traffic or high‑value sites.

Generated by OpenCVE AI on April 28, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin to the latest available version where the nonce check has been corrected.
  • If the plugin cannot be upgraded immediately, remove or disable it from the site to eliminate the vulnerable functionality.
  • Configure the web application firewall or use a plugin that enforces CSRF protection for the settings page, and consider applying a manual patch to the cits_settings_tab() function to ensure the nonce is verified before processing any changes.

Generated by OpenCVE AI on April 28, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7192 The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Mon, 24 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 06:45:00 +0000

Type Values Removed Values Added
Description The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts <= 4.2 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:22.233Z

Reserved: 2025-01-28T15:02:45.825Z

Link: CVE-2025-0807

cve-icon Vulnrichment

Updated: 2025-03-24T14:51:42.935Z

cve-icon NVD

Status : Deferred

Published: 2025-03-22T07:15:24.260

Modified: 2026-06-17T08:27:10.720

Link: CVE-2025-0807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)