CVE-2025-14351
Unauthorized Data Deletion in Custom Fonts WordPress Plugin
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | custom_fonts | to 2.1.16 (inc) |
| unknown_vendor | custom_fonts | 2.1.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The vulnerability in the Custom Fonts β Host Your Fonts Locally WordPress plugin exists because the 'BCF_Google_Fonts_Compatibility' class constructor function lacks a capability check. This allows unauthenticated attackers to delete the font directory and rewrite the theme.json file, leading to unauthorized loss of data. Essentially, attackers can trigger font rebuild operations without proper permission checks, enabling them to delete local font files and modify theme configuration files. [2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized attackers to delete your locally hosted font files and alter your theme's configuration (theme.json). This could disrupt the appearance of your website by removing fonts and potentially causing theme malfunctions or visual inconsistencies. Since the attacker does not need to be authenticated, it poses a risk of data loss and site integrity issues without your knowledge. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking if your WordPress site is running the Custom Fonts plugin version 2.1.16 or earlier, which is vulnerable. You can verify the plugin version via the WordPress admin dashboard or by running the command `wp plugin list` if WP-CLI is installed. Additionally, monitoring for unauthorized requests to the admin page with parameters like `page=bsf-custom-fonts` and `bcf_rebuild_fonts` could indicate exploitation attempts. For example, you can check web server logs for GET or POST requests containing these parameters. There are no specific commands provided in the resources for direct detection of exploitation. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Custom Fonts plugin to version 2.1.17 or later, where the vulnerability has been fixed by adding proper capability checks and nonce verification to prevent unauthorized font rebuild operations. Until the update is applied, restrict access to the WordPress admin area to trusted users only and monitor for suspicious requests targeting the font rebuild functionality. [2]