EUVD-2026-14011
GHSA-h49v-28c5-9j37
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘fmcfIdSelectedFnt’ parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress instances to identify installations of Fonts Manager | Custom Fonts plugin and document affected sites; immediately disable the plugin on all affected systems if business operations permit. Within 7 days: If the plugin cannot be disabled, implement WAF rules to block requests containing the 'fmcfIdSelectedFnt' parameter with SQL injection payloads, and isolate affected WordPress environments from production networks where possible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today