What the vulnerability does
01Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
Explanation of Vulnerability in Simple Terms
02Summary
Custom Fonts – Host Your Fonts Locally versions 2.1.16 and earlier lack proper authorization checks, allowing unauthenticated attackers to modify font data or settings. The vulnerability requires only network access and no user interaction. Site administrators should update to a version newer than 2.1.16 to restore proper access controls.
What an attacker can do
03Attacker Capabilities
Modify font settings or data without authentication.
Potential impact on your site
04Site Impact
Attackers can alter your site's font configuration or hosted font files without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
January 20, 2026
CVE published
April 8, 2026
Record updated