CVE-2025-14351
Unknown Unknown - Not Provided
Unauthorized Data Deletion in Custom Fonts WordPress Plugin

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Wordfence

Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14351
EUVD
EUVD-2026-3480
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor custom_fonts to 2.1.16 (inc)
unknown_vendor custom_fonts 2.1.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability in the Custom Fonts – Host Your Fonts Locally WordPress plugin exists because the 'BCF_Google_Fonts_Compatibility' class constructor function lacks a capability check. This allows unauthenticated attackers to delete the font directory and rewrite the theme.json file, leading to unauthorized loss of data. Essentially, attackers can trigger font rebuild operations without proper permission checks, enabling them to delete local font files and modify theme configuration files. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing unauthorized attackers to delete your locally hosted font files and alter your theme's configuration (theme.json). This could disrupt the appearance of your website by removing fonts and potentially causing theme malfunctions or visual inconsistencies. Since the attacker does not need to be authenticated, it poses a risk of data loss and site integrity issues without your knowledge. [2, 3]

Detection Guidance

Detection can involve checking if your WordPress site is running the Custom Fonts plugin version 2.1.16 or earlier, which is vulnerable. You can verify the plugin version via the WordPress admin dashboard or by running the command `wp plugin list` if WP-CLI is installed. Additionally, monitoring for unauthorized requests to the admin page with parameters like `page=bsf-custom-fonts` and `bcf_rebuild_fonts` could indicate exploitation attempts. For example, you can check web server logs for GET or POST requests containing these parameters. There are no specific commands provided in the resources for direct detection of exploitation. [2, 3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Custom Fonts plugin to version 2.1.17 or later, where the vulnerability has been fixed by adding proper capability checks and nonce verification to prevent unauthorized font rebuild operations. Until the update is applied, restrict access to the WordPress admin area to trusted users only and monitor for suspicious requests targeting the font rebuild functionality. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart