Vulnerabilities and security researches forcustom-fonts custom-fonts

Jun 07, 2024

CVE, Research URL: CVE-2024-1332
Home page URL: Security reports for Custom Fonts – Host Your Fonts Locally
Application: Custom Fonts – Host Your Fonts Locally
Date: May 24, 2024
Research Description: The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.5.
Status: vulnerable

Jan 28, 2026

CVE, Research URL: CVE-2025-14351
Home page URL: Security reports for Custom Fonts – Host Your Fonts Locally
Application: Custom Fonts – Host Your Fonts Locally
Date: Jan 20, 2026
Research Description: The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
Affected versions: max 2.1.17.
Status: vulnerable