cleantalk
Vulnerabilities and Security Researches

Custom Fonts – Host Your Fonts Locally, CVE-2025-14351

CVE, Research URL

CVE-2025-14351

Home page URL

Security reports for Custom Fonts – Host Your Fonts Locally

Application

Custom Fonts – Host Your Fonts Locally

Published on
Jan 20, 2026
Research Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
Affected versions
max 2.1.17.
Status
vulnerable
Previous vulnerability researches
Delay Redirects (CVE-2026-24632) , Jan 28, 2026
New vulnerability
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps (CVE-2025-68881) , Jan 28, 2026
Simple Calendar – Google Calendar Plugin (CVE-2025-68979) , Jan 28, 2026
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form (CVE-2025-14901) , Jan 28, 2026
IMGspider – 图片采集抓取插件 (CVE-2026-22482) , Jan 28, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2025-15380) , Jan 28, 2026