Does Custom Fonts – Host Your Fonts Locally have any unpatched vulnerabilities?

No. All known vulnerabilities in Custom Fonts – Host Your Fonts Locally have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom Fonts – Host Your Fonts Locally compatible with WordPress 6.9.4?

According to WordPress.org data, Custom Fonts – Host Your Fonts Locally 2.1.17 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Custom Fonts – Host Your Fonts Locally updated?

Custom Fonts – Host Your Fonts Locally was last updated on Jan 19, 2026. Frequent updates are generally a positive security signal.

What is Custom Fonts – Host Your Fonts Locally's security score?

Custom Fonts – Host Your Fonts Locally has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Fonts – Host Your Fonts Locally Security & Risk Analysis

wordpress.org/plugins/custom-fonts

Custom Fonts is a powerful WordPress plugin that allows you to upload your own custom fonts or choose from a vast collection of Google Fonts, all host …

300K active installs v2.1.17 PHP + WP 5.0+ Updated Jan 19, 2026

custom-fontsfontsfull-site-editinggoogle-fontsperformance

A · Safe

CVEs total2

Unpatched0

Last CVEJan 19, 2026

Plugin page Download

Safety Verdict

Is Custom Fonts – Host Your Fonts Locally Safe to Use in 2026?

Generally Safe

Score 98/100

Custom Fonts – Host Your Fonts Locally has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 19, 2026Updated 2mo ago

Risk Assessment

The "custom-fonts" plugin version 2.1.17 exhibits a generally strong security posture based on the static analysis. The absence of unprotected entry points (AJAX, REST API, shortcodes, cron events) is a significant positive. Furthermore, the code demonstrates excellent practices regarding SQL queries (100% prepared statements) and output escaping (100% properly escaped). Nonce and capability checks are implemented across a reasonable number of points, and there are no identified critical or high-severity taint flows.

However, the plugin's vulnerability history is a notable concern. With two known medium-severity CVEs, even though none are currently unpatched, it suggests a pattern of past security weaknesses. The common vulnerability types of Missing Authorization and Unrestricted Upload of File with Dangerous Type are particularly serious as they often lead to unauthorized access or malicious file execution. The most recent vulnerability being in 2026 is also an anomaly and might indicate a data entry error or a highly unusual release/patch cycle for the historical data, but it still highlights past issues. While the current version appears well-hardened in static analysis, the historical context necessitates caution, especially regarding file upload functionalities if they are exposed in any way, even if not immediately apparent in this static analysis snapshot.

Key Concerns

Two past medium CVEs
Vulnerability history: Missing Authorization
Vulnerability history: Unrestricted Upload

Vulnerabilities

Custom Fonts – Host Your Fonts Locally Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-14351medium · 5.3Missing Authorization

Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion

Jan 19, 2026 Patched in 2.1.17 (1d)

CVE-2024-1332medium · 6.4Unrestricted Upload of File with Dangerous Type

Custom Fonts – Host Your Fonts Locally <= 2.1.4 - Authenticated (Author+) Stored Cross-Site Scripting

May 23, 2024 Patched in 2.1.5 (1d)

Code Analysis

Analyzed Mar 16, 2026

Custom Fonts – Host Your Fonts Locally Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

201 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

100% escaped201 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

bcf_preloading (admin\dashboard\includes\class-bsf-custom-fonts-admin-ajax.php:325)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Custom Fonts – Host Your Fonts Locally Attack Surface

Entry Points2

Unprotected0

REST API Routes 2

GET/wp-json/custom-fonts/v1/get-tracking-statusincludes\rest-api\class-cf-bsf-analytics-compatibility.php:83

POST/wp-json/custom-fonts/v1/update-tracking-statusincludes\rest-api\class-cf-bsf-analytics-compatibility.php:95

WordPress Hooks 42

actioninitadmin\bsf-analytics\class-bsf-analytics-loader.php:68

actionadmin_initadmin\bsf-analytics\class-bsf-analytics.php:55

actionadmin_noticesadmin\bsf-analytics\class-bsf-analytics.php:56

actioninitadmin\bsf-analytics\class-bsf-analytics.php:57

actionadmin_initadmin\bsf-analytics\class-bsf-analytics.php:61

actioninitadmin\dashboard\includes\class-bsf-custom-fonts-admin-ajax.php:56

actionadmin_menuadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:75

actionadmin_initadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:76

filterupload_mimesadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:78

filterwp_check_filetype_and_extadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:79

actionadmin_enqueue_scriptsadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:446

filteradmin_footer_textadmin\dashboard\includes\class-bsf-custom-fonts-menu.php:447

actionadmin_enqueue_scriptsclasses\class-bsf-custom-fonts-render.php:115

actionadmin_noticesclasses\class-bsf-custom-fonts-render.php:117

actiondelete_termclasses\class-bsf-custom-fonts-render.php:120

actionplugins_loadedclasses\class-bsf-custom-fonts-render.php:122

filterastra_system_fontsclasses\class-bsf-custom-fonts-render.php:125

filterspectra_system_fontsclasses\class-bsf-custom-fonts-render.php:128

filterfl_theme_system_fontsclasses\class-bsf-custom-fonts-render.php:131

filterfl_builder_font_families_systemclasses\class-bsf-custom-fonts-render.php:132

actionwp_enqueue_scriptsclasses\class-bsf-custom-fonts-render.php:135

actioninitclasses\class-bsf-custom-fonts-render.php:136

filterelementor/fonts/groupsclasses\class-bsf-custom-fonts-render.php:138

filterelementor/fonts/additional_fontsclasses\class-bsf-custom-fonts-render.php:139

filterastra_google_fonts_selectedclasses\class-bsf-custom-fonts-render.php:141

filterwp_enqueue_scriptsclasses\class-bsf-custom-fonts-render.php:143

actionenqueue_block_assetsclasses\class-bsf-custom-fonts-render.php:359

actionenqueue_block_editor_assetsclasses\class-bsf-custom-fonts-render.php:361

filterall_pluginsclasses\class-bsf-custom-fonts-white-label.php:57

filterastra_addon_branding_optionsclasses\class-bsf-custom-fonts-white-label.php:58

actionastra_pro_white_label_add_formclasses\class-bsf-custom-fonts-white-label.php:59

filterbsf_custom_fonts_menu_titleclasses\class-bsf-custom-fonts-white-label.php:61

filterplugin_row_metaclasses\class-bsf-custom-fonts-white-label.php:64

filterfilesystem_methodincludes\class-bcf-filesystem.php:53

filterrequest_filesystem_credentialsincludes\class-bcf-filesystem.php:54

actionadmin_initincludes\class-bcf-google-fonts-compatibility.php:89

actioninitincludes\class-bsf-custom-fonts-posttype.php:72

actioninitincludes\class-bsf-custom-fonts-taxonomy.php:72

actionrest_api_initincludes\class-custom-fonts-api-init.php:87

actionadmin_initincludes\plugin-update\class-custom-fonts-update.php:50

actionwpincludes\plugin-update\class-custom-fonts-update.php:52

actionrest_api_initincludes\rest-api\class-cf-bsf-analytics-compatibility.php:29

Maintenance & Trust

Custom Fonts – Host Your Fonts Locally Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 19, 2026

PHP min version

Downloads6.3M

Community Trust

Rating86/100

Number of ratings62

Active installs300K

Alternatives

Custom Fonts – Host Your Fonts Locally Alternatives

Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts

olympus-google-fonts

The easiest to customize fonts in WordPress. Optimized for Speed. 1000+ font choices. Supports Google Fonts, Adobe Fonts and Upload Fonts.

200K 3 CVEs

Use Any Font | Custom Font Uploader

use-any-font

Upload custom fonts with custom font uploader. Auto converts to woff2 for better performance. Self-hosted, GDPR compliant, and easy custom font plugin

200K 4 CVEs

Fonts

fonts

100

Add More Font To Your WordPress Editor

9K No CVEs

Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts

yabe-webfont

100

Easy self-host Google Fonts, Adobe Fonts support, or upload custom fonts in WordPress. Integrated into the most popular themes and page builders.

5K No CVEs

Wbcom Designs – Custom Font Uploader

custom-font-uploader

Description Enhance site typography easily with Google and custom fonts. You don't need an API; you can host fonts locally.

3K 2 CVEs

Developer Profile

Custom Fonts – Host Your Fonts Locally Developer Profile

Brainstorm Force

32 plugins · 8.6M total installs

trust score

Avg Security Score

98/100

Avg Patch Time

196 days

View full developer profile

Detection Fingerprints

How We Detect Custom Fonts – Host Your Fonts Locally

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/custom-fonts/admin/bsf-analytics/assets/css/minified/style.min.css/wp-content/plugins/custom-fonts/admin/bsf-analytics/assets/css/unminified/style.css

HTML / DOM Fingerprints

CSS Classes

bsf-custom-fonts

Data Attributes

name="ast_white_label[bsf-custom-fonts][name]"name="ast_white_label[bsf-custom-fonts][description]"

JS Globals

BSF_ANALYTICS_VERSIONBSF_ANALYTICS_URIBSF_CUSTOM_FONTS_VER

REST Endpoints

/wp-json/bsf-core/v1/analytics/

FAQ