Question 1

What is the Custom Fonts vulnerability?

Accepted Answer

What is the Custom Fonts vulnerability?

This vulnerability affects the Custom Fonts – Host Your Fonts Locally plugin and allows unauthenticated attackers to delete locally hosted font files and modify the site’s theme configuration. The issue is caused by missing authorization checks in a core plugin component.

Although it does not allow attackers to steal data or take full control of a site, it can significantly disrupt how a website looks and functions. For many businesses, visual consistency and branding are critical.

Question 2

Which versions of the Custom Fonts plugin are affected?

Accepted Answer

Which versions of the Custom Fonts plugin are affected?

All versions of the plugin up to and including version 2.1.16 are affected by this vulnerability. Version 2.1.17 includes a fix that prevents unauthorized actions.

If your site is running an older version, updating immediately will remove the risk. You can check your current version in the Plugins section of your WordPress dashboard.

Question 3

Do attackers need to be logged in to exploit this issue?

Accepted Answer

Do attackers need to be logged in to exploit this issue?

No, authentication is not required to exploit this vulnerability. Any visitor could potentially trigger the vulnerable functionality.

This makes the issue more serious than vulnerabilities that require user access, as exploitation can occur without credentials or visible warning signs.

Question 4

What kind of damage could this vulnerability cause?

Accepted Answer

What kind of damage could this vulnerability cause?

An attacker could delete the directory where your custom fonts are stored, causing fonts to disappear across your site. This can result in broken layouts, fallback fonts, or unreadable text.

In addition, rewriting the theme.json file can change global styles such as fonts, spacing, and colors. Fixing these issues may require technical knowledge or restoring from backups.

Question 5

How do I fix the vulnerability on my website?

Accepted Answer

How do I fix the vulnerability on my website?

The fix is straightforward and involves updating the Custom Fonts plugin to version 2.1.17 or later. This update adds proper authorization checks.

After updating, you should verify that your fonts are loading correctly and that your site’s design appears as expected. If anything is missing, restoring from a backup may be necessary.

Question 6

How can I tell if my site has already been affected?

Accepted Answer

How can I tell if my site has already been affected?

Signs of exploitation may include missing fonts, unexpected typography changes, or altered site styling. Your website may suddenly look different without any changes made by you.

Checking the font directory and reviewing recent changes to the theme.json file can help identify issues. In many cases, problems are visual rather than obvious error messages.

Question 7

Why do vulnerabilities like this happen in popular plugins?

Accepted Answer

Why do vulnerabilities like this happen in popular plugins?

Popular plugins often manage complex functionality such as files, styles, and integrations with themes. This complexity increases the chance of security oversights.

What matters most is how quickly issues are discovered and fixed. In this case, the developer released a patch promptly once the issue was disclosed.

Question 8

Should I stop using the Custom Fonts plugin?

Accepted Answer

Should I stop using the Custom Fonts plugin?

There is no need to stop using the plugin if you have updated to the patched version. Once updated, the vulnerability is resolved.

However, it is always a good idea to review whether every plugin you use is necessary. Reducing plugin count can lower overall security risk.

Question 9

How often should WordPress plugins be updated?

Accepted Answer

How often should WordPress plugins be updated?

Plugins should be updated as soon as security fixes are released. Delaying updates increases the chance that known vulnerabilities can be exploited.

For busy site owners, automatic updates or managed maintenance services can help ensure updates are not missed.

Question 10

What can small business owners do if they do not have time to manage security?

Accepted Answer

What can small business owners do if they do not have time to manage security?

Small business owners can rely on WordPress maintenance services that handle updates, backups, and monitoring automatically. This reduces stress and minimizes risk.

Keeping regular backups, limiting unnecessary plugins, and using reputable security tools can also go a long way. Even simple proactive steps can protect your site from avoidable issues.

WordPress Vulnerabilities

Custom Fonts – Host Your Fonts Locally Vulnerability – Missing Authorization to Unauthenticated Font Deletion – CVE-2025-14351 | WordPress Plugin Vulnerability Report

FileOrganizer Vulnerability – Sensitive Information Exposure via Directory Listing – CVE-2024-5599 | WordPress Plugin Vulnerability Report

Qi Addons For Elementor Vulnerability – Authenticated (Contributor+) Local File Inclusion – CVE-2024-4887 | WordPress Plugin Vulnerability Report

Gutenberg Vulnerability – Unauthenticated & Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block | WordPress Plugin Vulnerability Report

Better Search Replace Vulnerability – Unauthenticated PHP Object Injection – CVE-2023-6933 | WordPress Plugin Vulnerability Report

WPvivid Vulnerability – Missing Authorization – CVE-2023-4637 | WordPress Plugin Vulnerability Report

Common Signs Your WordPress Website May Be Compromised

Recent Blog Posts

Yoast SEO – Advanced SEO with real-time guidance and built-in AI Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘jsonText’ Block Attribute – CVE-2026-3427 | WordPress Plugin Vulnerability Report

The Events Calendar Vulnerability – Missing Authorization to Authenticated (Subscriber+) Data Migration Control – CVE-2025-15043 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy