CVE-2024-47305 Overview
CVE-2024-47305 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Dineshkarki Use Any Font WordPress plugin. The flaw is present in all versions up to and including 6.3.08. An attacker can craft a malicious request that, when triggered by an authenticated administrator who visits an attacker-controlled page, forces the WordPress site to perform unintended state-changing actions. The weakness is tracked under [CWE-352] and stems from missing or insufficient anti-CSRF token validation in plugin request handlers.
Critical Impact
Successful exploitation can compromise the confidentiality, integrity, and availability of a WordPress site by abusing an authenticated administrator's session to modify plugin settings or upload font assets without consent.
Affected Products
- Dineshkarki Use Any Font WordPress plugin, all versions up to and including 6.3.08
- WordPress installations using the use-any-font plugin in production
- Sites where administrators authenticate the plugin while browsing untrusted content
Discovery Timeline
- 2024-09-25 - CVE-2024-47305 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2024-47305
Vulnerability Analysis
The vulnerability is a server-side CSRF issue in the Use Any Font plugin's administrative request handlers. The plugin processes privileged actions without validating an anti-CSRF nonce or verifying request origin. An attacker hosts a malicious page containing a forged form or fetch request targeting the plugin endpoint. When an authenticated WordPress administrator visits this page, the browser automatically sends the request with valid session cookies. The plugin accepts the request as legitimate and executes the state-changing action.
Exploitation requires user interaction, specifically that a privileged user visits the attacker's content while logged into the WordPress admin session. No prior authentication of the attacker is needed. The EPSS score is 0.251% at the 48th percentile, indicating a low predicted exploitation probability but a credible threat vector for targeted phishing campaigns.
Root Cause
The plugin fails to enforce WordPress nonce verification via check_admin_referer() or wp_verify_nonce() on sensitive endpoints. Without this check, the application cannot distinguish between legitimate admin-initiated requests and forged cross-origin requests that ride on the administrator's session cookie.
Attack Vector
The attack is network-based and requires user interaction. An attacker lures a logged-in WordPress administrator to a controlled web page. The page issues a cross-origin request to the vulnerable plugin endpoint on the target site. The forged request inherits the administrator's authentication context and triggers actions such as font upload, configuration changes, or arbitrary file references handled by the plugin.
For technical details, refer to the Patchstack WordPress Vulnerability Advisory.
Detection Methods for CVE-2024-47305
Indicators of Compromise
- Unexpected modifications to Use Any Font plugin settings or uploaded font files in wp-content/uploads/
- WordPress admin actions originating with a Referer header from an external, untrusted domain
- Unusual POST requests to plugin endpoints under wp-admin/admin.php?page=use-any-font lacking a valid _wpnonce parameter
Detection Strategies
- Inspect web server access logs for POST requests to Use Any Font plugin endpoints where the Referer header does not match the site's own domain
- Audit the WordPress plugin file use-any-font/use-any-font.php for missing check_admin_referer() or wp_verify_nonce() calls in admin action handlers
- Correlate administrator browsing activity with state-changing requests to detect time-aligned forged submissions
Monitoring Recommendations
- Enable WordPress audit logging to track plugin configuration changes and font asset uploads
- Monitor for new or modified files under the plugin's upload directories outside of scheduled administrative activity
- Alert on outbound administrator sessions accessing untrusted external domains within minutes of privileged plugin actions
How to Mitigate CVE-2024-47305
Immediate Actions Required
- Update the Use Any Font plugin to a version later than 6.3.08 once the vendor publishes a fixed release
- Restrict WordPress administrator accounts from browsing untrusted sites in the same browser session used for site management
- Enforce strong session controls including short admin session lifetimes and re-authentication for sensitive actions
Patch Information
Review the Patchstack WordPress Vulnerability Advisory for vendor remediation status. If no patched version is available, deactivate and remove the plugin until a fix is released.
Workarounds
- Deactivate the Use Any Font plugin until a patched version is released by the vendor
- Deploy a Web Application Firewall (WAF) rule that blocks POST requests to plugin endpoints lacking a valid _wpnonce parameter or carrying an external Referer header
- Use browser isolation or a dedicated administrative browser profile for WordPress management to limit exposure to CSRF lures
# Example WAF rule (ModSecurity) to block requests to the plugin without a valid nonce
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
"chain,phase:2,deny,status:403,id:1004730501,msg:'CVE-2024-47305 CSRF block'"
SecRule ARGS:page "@streq use-any-font" "chain"
SecRule &ARGS:_wpnonce "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
