CVE-2025-14351 MEDIUM

CVE-2025-14351: Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion

Vendor Brainstormforce
Product Custom Fonts – Host Your Fonts Locally
Weakness CWE-862 · Missing authorization
Published January 20, 2026
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.

Explanation of Vulnerability in Simple Terms

02Summary

Custom Fonts – Host Your Fonts Locally versions 2.1.16 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify font data or settings. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 2.1.16 to restore proper access controls.

What an attacker can do

03Attacker Capabilities

Modify font settings or data without authentication.

Potential impact on your site

04Site Impact

Attackers can alter your site's font configuration or hosted font files without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

January 20, 2026 CVE published
April 8, 2026 Record updated