cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forcustom-fonts custom-fonts

Direction: ascending
Jun 07, 2024

Custom Fonts – Host Your Fonts Locally # CVE-2024-1332

CVE, Research URL

CVE-2024-1332

Home page URL

Security reports for Custom Fonts – Host Your Fonts Locally

Application

Custom Fonts – Host Your Fonts Locally

Date
May 24, 2024
Research Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.1.5.
Status
vulnerable
Jan 28, 2026

Custom Fonts – Host Your Fonts Locally # CVE-2025-14351

CVE, Research URL

CVE-2025-14351

Home page URL

Security reports for Custom Fonts – Host Your Fonts Locally

Application

Custom Fonts – Host Your Fonts Locally

Date
Jan 20, 2026
Research Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
Affected versions
max 2.1.17.
Status
vulnerable
May 26, 2026

Custom Fonts – Host Your Fonts Locally # PSC-2026-64660

PSC, Research URL

PSC-2026-64660

Home page URL

Security reports for Custom Fonts – Host Your Fonts Locally

Application

Custom Fonts – Host Your Fonts Locally

Date
May 26, 2026
Research Description
Typography plugins appear presentation-oriented, but their core workflows involve file uploads, local asset hosting, generated CSS, editor integration, and front-end output. That combination can become security-sensitive when font files, font names, CSS rules, and generated asset paths are accepted from administrators or imported from external providers. Custom Fonts version 2.1.17 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64660, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for local font hosting and typography customization plugins.
Affected versions
Min 2.1.17, max 2.1.17.
Status
SAFE & CERTIFIED