Custom Fonts – Host Your Fonts Locally Vulnerability – Missing Authorization to Unauthenticated Font Deletion – CVE-2025-14351 | WordPress Plugin Vulnerability Report

Plugin Name: Custom Fonts – Host Your Fonts Locally

Key Information

Software Type: Plugin
Software Slug: custom-fonts
Software Status: Active
Software Author: brainstormforce
Software Downloads: 6,158,177
Active Installs: 300,000
Last Updated: January 22, 2026
Patched Versions: 2.1.17
Affected Versions: ≤ 2.1.16

Vulnerability Details

Name: Custom Fonts – Host Your Fonts Locally ≤ 2.1.16 
Title: Missing Authorization to Unauthenticated Font Deletion
Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE: CVE-2025-14351
CVSS Score: 5.3
Publicly Published: January 19, 2026
Researcher: type5afe
Description:
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the BCF_Google_Fonts_Compatibility class constructor in all versions up to and including 2.1.16. This allows unauthenticated attackers to delete the plugin’s font directory and rewrite the theme.json file.

Summary

The Custom Fonts – Host Your Fonts Locally plugin for WordPress contains a vulnerability in versions up to and including 2.1.16 that allows unauthenticated attackers to delete font files and modify the site’s theme.json configuration. This vulnerability has been patched in version 2.1.17.

Detailed Overview

This vulnerability is caused by a missing authorization check within the constructor of the BCF_Google_Fonts_Compatibility class. Because the constructor can be triggered without verifying user capabilities, unauthenticated requests can execute destructive actions.

An attacker could exploit this flaw to delete the directory where locally hosted fonts are stored and rewrite the theme.json file. While this does not enable code execution, it can significantly disrupt site appearance and functionality, especially for themes that rely heavily on custom fonts and block-based styling.

The issue was responsibly disclosed by type5afe and publicly published in January 2026. The plugin developers addressed the vulnerability by adding proper capability checks in version 2.1.17.

Risks and Potential Impact

The primary risk associated with this vulnerability is loss of data and site integrity rather than data theft. Deleting the font directory can break typography across the site, while rewriting theme.json can alter global styles, layouts, and visual settings.

For small businesses, this can translate into a broken or unprofessional-looking website, loss of brand consistency, and downtime while the issue is diagnosed and fixed. Restoring deleted files may require backups, which not all site owners have readily available.

How to Remediate the Vulnerability

The recommended remediation is to update the Custom Fonts plugin to version 2.1.17 or later immediately. This update ensures that only authorized users can trigger actions affecting font files and theme configuration.

After updating, site owners should verify that all custom fonts are still present and that the site’s appearance has not been altered. Restoring from a backup may be necessary if files were deleted prior to patching.

Advice for Users

Immediate Action:
Update the Custom Fonts – Host Your Fonts Locally plugin to version 2.1.17 or later as soon as possible.

Check for Signs of Vulnerability:
Look for missing fonts, changes in typography, or unexpected alterations to site styling. Reviewing the theme.json file for unexpected changes may also help identify prior exploitation.

Alternate Plugins:
While a patch is available, users may consider alternative font management plugins if minimizing file-level operations is a priority.

Stay Updated:
Keep WordPress core, plugins, and themes updated regularly. Vulnerabilities involving file deletion can cause significant disruption if left unpatched.

Conclusion

The quick fix released for this vulnerability reinforces the importance of timely plugin updates, especially for plugins that manage files and theme configuration. Site owners should ensure they are running Custom Fonts version 2.1.17 or later to prevent unauthorized deletion of fonts and configuration changes.

Keeping a WordPress website secure is particularly challenging for small business owners with limited time for maintenance. This vulnerability demonstrates how missing authorization checks can allow unauthenticated users to disrupt a site’s appearance and functionality.

Custom Fonts – Host Your Fonts Locally is widely used to improve performance and privacy by hosting fonts locally, but affected versions prior to 2.1.17 expose sites to potential data loss. Applying updates promptly, maintaining reliable backups, and limiting unnecessary plugins are key steps in reducing risk.

Staying proactive with security updates helps protect your website’s appearance, usability, and reputation, ensuring your site remains stable and professional for visitors.

References

Wordfence Threat Intelligence
plugins.trac.wordpress.org

Staying Secure

As a business owner, you don’t have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We’ll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.