Medium severity5.3NVD Advisory· Published Jan 20, 2026· Updated Apr 15, 2026
CVE-2025-14351
CVE-2025-14351
Description
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.1.16
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.