Description The TK Google Fonts GDPR Compliant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tk_google_fonts_delete_font function in all versions up to, and including, 2.2.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to deelete arbitrary Google fonts. We believe CVE-2023-5823 may be misreported as a CSRF as there is no nonce check that was added in 2.2.12, but instead a capability check.