Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for local font hosting and typography customization plugins.
| Name of | Custom Fonts – Host Your Fonts Locally |
| Version | 2.1.17 |
| Active installations | 400,000+ |
| Description | Custom Fonts enables you to upload your own custom fonts or choose from a vast collection of Google Fonts, all hosted directly on your own web server. |
| Security | Successfully tested for: SQL Injection (SQLi) Cross-Site Scripting (XSS) – Stored & Reflected Cross-Site Request Forgery (CSRF) Authentication Vulnerabilities Authentication Bypass Exploits Privilege Escalation Buffer Overflow Denial-of-Service (DoS) vectors Data Leakage Vulnerabilities Insecure Dependency Usage Remote Code Execution (RCE) Risks Unauthorized File Access Insufficient Injection Protection Information Disclosure via Misconfigured Endpoints |
| CleanTalk Certification | Proudly earned the “Plugin Security Certification” (PSC) from CleanTalk, indicating adherence to stringent security standards. |
| Additional Information | Use Custom Fonts with confidence backed by the “Plugin Security Certification” (PSC). Always verify the latest plugin details and keep WordPress core and dependent components up to date. |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Key Features
Custom Fonts lets site owners upload custom font files, choose Google Fonts, host fonts locally, manage multiple font variants, and integrate typography settings with supported themes and plugins. The plugin is designed to reduce external font requests, improve page performance, and give site owners more control over privacy and design consistency. These capabilities matter for security because the plugin touches font file uploads, locally generated assets, CSS output, editor-facing controls, front-end rendering, and potentially remote font retrieval workflows. Secure implementation requires validating file types, preventing arbitrary file writes, constraining generated paths, sanitizing font metadata, and encoding output safely in CSS, HTML, and admin UI contexts.
Security Assurance
The CleanTalk Plugin Security Certification evaluation focuses on safe behavior for plugins that accept uploaded assets and generate front-end styling. For font plugins, the common abuse patterns include uploading unexpected file types, storing files in unsafe locations, writing arbitrary files through path manipulation, injecting CSS or HTML through font family names, exposing local asset paths in unsafe ways, and forcing configuration changes through CSRF. The review validates that upload and import flows are restricted to authorized users, that accepted files and extensions are constrained to expected font formats, and that generated CSS cannot become a script or markup injection path. Particular attention is paid to local hosting behavior, Google Font import logic, variant management, and integration with builders or full-site-editing themes because font settings often propagate into multiple rendering contexts.
The plugin has been successfully tested for:
✅ Information Leakage Vulnerabilities
✅ SQL Injection Vulnerabilities
✅ Cross-Site Scripting (XSS) Attacks
✅ Cross-Site Request Forgery (CSRF) Attacks
✅ Authentication & Authentication Bypass Vulnerabilities
✅ Privilege Escalation Vulnerabilities
✅ Buffer Overflow Vulnerabilities
✅ Denial-of-Service (DoS) Vulnerabilities
✅ Data Leakage Vulnerabilities
✅ Insecure Dependencies
✅ Code Execution Vulnerabilities
✅ File Unauthorized Access Vulnerabilities
✅ Insufficient Injection Protection
Conclusion
With PSC-2026-64660, Custom Fonts version 2.1.17 demonstrates strong baseline security for the workflows that matter most in typography customization plugins: accepting font assets, hosting them locally, generating safe CSS, and integrating with WordPress editing and front-end rendering. This certification helps site owners improve typography control and reduce external font dependencies while keeping common file-handling and injection risks under review. As a best practice, allow only trusted administrators to upload fonts, keep font libraries minimal, and verify that theme or builder output escapes custom font names correctly in every context.
Note: The date and certification information may change over time. It is advisable to verify the latest details on the plugin developer’s website.