WordPress Plugin Vulnerabilities

Custom Fonts – Host Your Fonts Locally < 2.1.17 - Missing Authorization to Unauthenticated Font Deletion

Description

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.

Affects Plugins

Plugin icon
custom-fonts
Fixed in 2.1.17

References

CVE
CVE-2025-14351
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
31861a1d-56cf-4db6-b374-712f3acbcecb

Timeline

Publicly Published
2026-01-19 (about 3 months ago)
Added
2026-01-19 (about 3 months ago)
Last Updated
2026-01-20 (about 3 months ago)

Other

Published
Title
Published
2025-04-02
Title
Clients <= 1.1.4 - Missing Authorization
Published
2024-04-22
Title
Max Addons Pro for Bricks < 1.6.2 - Missing Authorization
Published
2025-12-11
Title
Reformer for Elementor <= 1.0.6 - Missing Authorization
Published
2026-01-08
Title
Booking for Appointments and Events Calendar – Amelia < 2.0.0 - Missing Authorization to Unauthenticated Multiple AJAX Actions
Published
2025-04-29
Title
Custom PC Builder Lite for WooCommerce <= 1.0.1 - Missing Authorization to Unauthenticated Settings Update