CVE-2025-14351
📋 TL;DR
This vulnerability in the Custom Fonts WordPress plugin allows unauthenticated attackers to delete font directories and rewrite theme.json files due to missing capability checks. All WordPress sites using this plugin up to version 2.1.16 are affected. Attackers can disrupt website appearance and functionality without requiring login credentials.
💻 Affected Systems
- Custom Fonts – Host Your Fonts Locally WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete website defacement or disruption by deleting critical font files and modifying theme configuration, potentially breaking site functionality and requiring restoration from backups.
Likely Case
Partial website disruption with broken fonts and layout issues, requiring manual restoration of font files and theme.json configuration.
If Mitigated
Minimal impact if proper file permissions and web application firewalls block unauthorized directory deletion attempts.
🎯 Exploit Status
The vulnerability requires no authentication and involves simple HTTP requests to trigger the vulnerable constructor function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.17
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Custom Fonts – Host Your Fonts Locally'. 4. Click 'Update Now' if available, or download version 2.1.17+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Custom Fonts plugin until patched
wp plugin deactivate custom-fonts
Restrict plugin access
allUse web application firewall to block requests to vulnerable plugin endpoints
🧯 If You Can't Patch
- Disable the Custom Fonts plugin immediately
- Implement strict file permissions on wp-content/uploads/custom-fonts directory
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Custom Fonts version. If version is 2.1.16 or lower, you are vulnerable.Check Version:
wp plugin get custom-fonts --field=versionVerify Fix Applied:
Verify plugin version is 2.1.17 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST requests to /wp-admin/admin-ajax.php with action=bcf_google_fonts_compatibility
- File deletion events in wp-content/uploads/custom-fonts directory
- theme.json modification timestamps
Network Indicators:
- HTTP requests to admin-ajax.php with suspicious action parameters from unauthenticated sources
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "bcf_google_fonts_compatibility") AND NOT user!="-"