CVE-2025-14351 Overview
The Custom Fonts – Host Your Fonts Locally plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the BCF_Google_Fonts_Compatibility class constructor function. This security flaw affects all versions up to and including 2.1.16, allowing unauthenticated attackers to delete font directories and rewrite the theme.json file without proper authorization.
Critical Impact
Unauthenticated attackers can delete font directories and modify theme configuration files, potentially disrupting website appearance and functionality.
Affected Products
- Custom Fonts – Host Your Fonts Locally plugin for WordPress versions up to and including 2.1.16
Discovery Timeline
- 2026-01-20 - CVE CVE-2025-14351 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2025-14351
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a software component fails to perform authorization checks before executing privileged operations. In this case, the BCF_Google_Fonts_Compatibility class constructor function lacks proper capability verification, meaning it does not validate whether the requesting user has sufficient permissions to perform sensitive file operations.
The vulnerability allows network-based attacks without requiring any authentication or user interaction. While the confidentiality impact is negligible, the integrity impact allows unauthorized modification of data—specifically the deletion of font directories and overwriting of the theme.json configuration file.
Root Cause
The root cause of this vulnerability lies in the absence of a capability check within the BCF_Google_Fonts_Compatibility class constructor. WordPress provides built-in functions like current_user_can() to verify user permissions before executing sensitive operations. The vulnerable code path in class-bcf-google-fonts-compatibility.php fails to implement these checks, allowing any unauthenticated request to trigger file deletion and modification operations.
Attack Vector
The attack can be executed remotely over the network by sending crafted requests to a WordPress site running the vulnerable plugin version. Since no authentication is required, attackers can directly invoke the vulnerable class constructor functionality. The attack requires low complexity and no user interaction, making it trivially exploitable against exposed WordPress installations.
The exploitation flow involves:
- Identifying a WordPress site running Custom Fonts plugin version 2.1.16 or earlier
- Crafting requests that trigger the BCF_Google_Fonts_Compatibility class constructor
- Exploiting the missing capability check to delete font directories
- Potentially rewriting the theme.json file to alter theme configuration
For technical implementation details, refer to the WordPress Custom Fonts Code and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-14351
Indicators of Compromise
- Unexpected deletion of font directories within the WordPress uploads or plugin directories
- Unauthorized modifications to theme.json files with timestamps not matching legitimate admin activity
- Web server logs showing requests targeting Custom Fonts plugin endpoints from unauthenticated sources
- Sudden font rendering issues or theme configuration changes on the site
Detection Strategies
- Monitor WordPress access logs for suspicious requests to Custom Fonts plugin paths without valid authentication cookies
- Implement file integrity monitoring on the theme.json file and font directories to detect unauthorized changes
- Deploy web application firewall rules to detect and block exploitation attempts targeting the vulnerable endpoint
- Review plugin version inventory to identify installations running version 2.1.16 or earlier
Monitoring Recommendations
- Configure alerting for any filesystem changes to font directories outside scheduled maintenance windows
- Establish baseline behavior for WordPress admin operations and alert on deviations
- Enable verbose logging for WordPress plugin activity to capture exploitation attempts
- Implement SentinelOne Singularity to detect and respond to file system modifications associated with this vulnerability
How to Mitigate CVE-2025-14351
Immediate Actions Required
- Update the Custom Fonts – Host Your Fonts Locally plugin to the latest patched version immediately
- Review theme.json files and font directories for any unauthorized modifications
- Audit web server logs for any evidence of exploitation attempts
- Consider temporarily disabling the plugin if immediate patching is not possible
Patch Information
The vulnerability has been addressed in plugin versions after 2.1.16. The patch introduces proper capability checks in the BCF_Google_Fonts_Compatibility class constructor to ensure only authorized users can perform file operations. Review the WordPress Custom Fonts Changeset for specific implementation details of the security fix.
Workarounds
- Implement web application firewall rules to restrict access to the vulnerable plugin endpoints
- Use WordPress security plugins to add additional authorization checks at the application layer
- Restrict direct access to plugin files via .htaccess or nginx configuration until patching is complete
- Enable WordPress file system permissions to prevent web server write access to theme configuration files
# Example: Restrict write permissions on theme.json
chmod 444 /path/to/wordpress/wp-content/themes/your-theme/theme.json
# Example: Add .htaccess protection for custom-fonts plugin directory
# Add to /wp-content/plugins/custom-fonts/.htaccess
<Files "class-bcf-google-fonts-compatibility.php">
Order Allow,Deny
Deny from all
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
