Attack Vectors
TypeSquare Webfonts for ConoHa (WordPress plugin slug: ts-webfonts-for-conoha) versions up to and including 2.0.3 contain a Medium-severity stored cross-site scripting (XSS) issue (CVE-2023-25458, CVSS 4.4). The attack requires an authenticated user with Administrator (or higher) privileges.
An attacker who can access an administrator account (for example, through credential compromise, shared admin logins, or a malicious insider) could inject malicious script into the site through the plugin’s administrative inputs (the issue is described as affecting unspecified parameters). Because this is stored XSS, the injected code is saved in the WordPress database and can run later when a user visits the affected admin page or any page where the stored content is rendered.
Security Weakness
The underlying weakness is insufficient input sanitization and output escaping in TypeSquare Webfonts for ConoHa versions <= 2.0.3. In plain business terms: the plugin does not reliably treat admin-provided fields as untrusted data, allowing script content to be stored and later displayed in a way that the browser interprets as active code.
This vulnerability is scoped as PR:H (high privileges required) in the CVSS vector, which reduces likelihood compared to public-facing issues. However, it is still important because administrator accounts are high-value targets and are frequently involved in real-world breaches.
Technical or Business Impacts
If exploited, stored XSS can enable actions in the context of whoever views the injected page. Depending on who triggers it (an admin, editor, or other logged-in user), business impacts can include: unauthorized changes to site settings or content, insertion of unwanted links or spam that damages SEO performance, collection of session information, and reputational harm if visitors encounter unexpected redirects or defacement-like behavior.
For regulated organizations, even a “Medium” issue can become a compliance concern when it creates a path to unauthorized content changes or potential exposure of user/session information. This matters for brand trust, marketing attribution integrity, and the reliability of on-site conversion flows.
Remediation: Update TypeSquare Webfonts for ConoHa to version 2.0.4 or newer (patched). Reference: CVE-2023-25458 and the vendor/community advisory details at Wordfence threat intel.
Similar Attacks
Stored XSS has been used broadly to tamper with site content, inject spam, and hijack user sessions. Examples you can review:
CISA Alert: Multiple Vulnerabilities in WordPress Plugin InfiniteWP Client
Recent Comments