CITS Support WordPress Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the CITS Support SVG, WebP Media and TTF, OTF File Upload, Use Custom Fonts plugin for WordPress, affecting all versions through 4.2. The vulnerability arises from inadequate nonce validation in the 'cits_assign_fonts_tab()' function, allowing unauthenticated attackers to delete font assignments by tricking a site administrator into clicking a link.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of font assignments, which could disrupt the intended design and functionality of a WordPress site.

Reproduction

To reproduce this vulnerability, an attacker must send a forged request to a WordPress site using the vulnerable plugin. This can be done by tricking an administrator into clicking a link that contains the necessary parameters to delete a font assignment, bypassing the missing nonce validation.