Does Fonto – Custom Web Fonts Manager have any unpatched vulnerabilities?

Yes — Fonto – Custom Web Fonts Manager currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Fonto – Custom Web Fonts Manager compatible with WordPress 6.6.5?

According to WordPress.org data, Fonto – Custom Web Fonts Manager 1.2.2 has been tested up to WordPress 6.6.5. Check the plugin's changelog for the latest compatibility information.

Is Fonto – Custom Web Fonts Manager compatible with PHP 5.6.20+?

Fonto – Custom Web Fonts Manager requires PHP 5.6.20 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Fonto – Custom Web Fonts Manager updated?

Fonto – Custom Web Fonts Manager was last updated on Oct 16, 2024. Frequent updates are generally a positive security signal.

What is Fonto – Custom Web Fonts Manager's security score?

Fonto – Custom Web Fonts Manager has a WP-Safety security score of 70/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Fonto – Custom Web Fonts Manager Security & Risk Analysis

wordpress.org/plugins/fonto

Use your custom premium web fonts directly in the Editor or with the Customify and Style Manager plugins. Works with Typekit, MyFonts, Fonts.

2K active installs v1.2.2 PHP 5.6.20+ WP 4.9.9+ Updated Oct 16, 2024

custom-fontcustom-fontscustom-web-fontsfont-managerfonts

B · Generally Safe

CVEs total2

Unpatched1

Last CVEApr 3, 2025

Plugin page Download

Safety Verdict

Is Fonto – Custom Web Fonts Manager Safe to Use in 2026?

Mostly Safe

Score 70/100

Fonto – Custom Web Fonts Manager is generally safe to use though it hasn't been updated recently. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Apr 3, 2025Updated 1yr ago

Risk Assessment

The Fonto plugin v1.2.2 exhibits a mixed security posture. While it demonstrates good practices in certain areas, such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns remain. The presence of two unprotected AJAX handlers creates a substantial attack surface that could be exploited by unauthenticated users. The plugin's vulnerability history is particularly concerning, with two previously disclosed medium-severity vulnerabilities, one of which remains unpatched. These past vulnerabilities, specifically Path Traversal and Cross-site Scripting, indicate a recurring pattern of insecure input handling, which is further suggested by the high percentage of unescaped output and the lack of capability checks on its entry points.

The static analysis reveals two unprotected AJAX handlers, which are direct entry points without authentication. This is a critical oversight. The absence of capability checks on any of the entry points means that even if authentication were present, authorization is not being enforced. Furthermore, the bundled TinyMCE library, while not explicitly flagged as outdated in this analysis, represents a potential risk if it is an older, vulnerable version. The taint analysis showing zero flows with unsanitized paths is a positive sign, suggesting that known path traversal vectors might have been addressed in this version, but the historical pattern of such vulnerabilities should not be ignored.

In conclusion, Fonto v1.2.2 has strengths in its handling of database queries and output sanitization. However, the unprotected AJAX endpoints and the unpatched medium-severity vulnerability from its history represent significant risks. The recurring types of past vulnerabilities (Path Traversal, XSS) and the lack of capability checks are red flags that warrant immediate attention. The plugin's overall security is compromised by these factors, making it a potentially risky component for any WordPress installation.

Key Concerns

Unprotected AJAX handlers
Unpatched CVE (medium severity)
Lack of capability checks on entry points
Bundled libraries (TinyMCE)
Past vulnerabilities (Path Traversal, XSS)

Vulnerabilities

Fonto – Custom Web Fonts Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-31827medium · 6.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Fonto <= 1.2.2 - Authenticated (Author+) Arbitrary File Download

Apr 3, 2025Unpatched

CVE-2024-8920medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Fonto – Custom Web Fonts Manager <= 1.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Oct 16, 2024 Patched in 1.2.2 (1d)

Code Analysis

Analyzed Mar 16, 2026

Fonto – Custom Web Fonts Manager Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

41 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

87% escaped47 total outputs

Attack Surface

2 unprotected

Fonto – Custom Web Fonts Manager Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 3

authwp_ajax_fonto_editor_dynamic_cssincludes\class-fonto-output.php:326

noprivwp_ajax_fonto_editor_dynamic_cssincludes\class-fonto-output.php:327

authwp_ajax_sample_font_url_pathincludes\class-fonto-post-types.php:95

WordPress Hooks 27

actionadmin_noticesincludes\class-fonto-init.php:111

actionadmin_noticesincludes\class-fonto-init.php:137

actionwp_headincludes\class-fonto-output.php:99

filtermce_buttons_2includes\class-fonto-output.php:102

filtertiny_mce_before_initincludes\class-fonto-output.php:103

filtermce_external_pluginsincludes\class-fonto-output.php:106

actionadmin_initincludes\class-fonto-output.php:117

actioncmb2_admin_initincludes\class-fonto-post-types.php:79

filtercmb2_enqueue_cssincludes\class-fonto-post-types.php:81

actionadmin_enqueue_scriptsincludes\class-fonto-post-types.php:85

actionadmin_enqueue_scriptsincludes\class-fonto-post-types.php:86

filterupload_dirincludes\class-fonto-post-types.php:89

filtercmb2_input_attributesincludes\class-fonto-post-types.php:92

filterwp_handle_upload_prefilterincludes\class-fonto.php:146

actioninitincludes\class-fonto.php:169

actionadmin_enqueue_scriptsincludes\class-fonto.php:181

actionadmin_enqueue_scriptsincludes\class-fonto.php:182

actioninitincludes\class-fonto.php:185

filterupload_mimesincludes\class-fonto.php:198

filterwp_check_filetype_and_extincludes\class-fonto.php:199

filtercmb2_script_dependenciesincludes\class-fonto.php:296

actioncustomify_typography_font_family_before_optionsincludes\integrations\customify.php:124

actioncustomify_font_family_before_optionsincludes\integrations\customify.php:152

filtercustomify_third_party_fontsincludes\integrations\customify.php:177

filtercustomify_third_party_font_group_labelincludes\integrations\customify.php:184

filterstyle_manager/third_party_fontsincludes\integrations\style-manager.php:124

filterstyle_manager/third_party_font_group_labelincludes\integrations\style-manager.php:131

Maintenance & Trust

Fonto – Custom Web Fonts Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5

Last updatedOct 16, 2024

PHP min version5.6.20

Downloads38K

Community Trust

Rating60/100

Number of ratings4

Active installs2K

Alternatives

Fonto – Custom Web Fonts Manager Alternatives

Use Any Font | Custom Font Uploader

use-any-font

Upload custom fonts with custom font uploader. Auto converts to woff2 for better performance. Self-hosted, GDPR compliant, and easy custom font plugin

200K 4 CVEs

Custom Fonts – Host Your Fonts Locally

custom-fonts

Custom Fonts is a powerful WordPress plugin that allows you to upload your own custom fonts or choose from a vast collection of Google Fonts, all host …

300K 2 CVEs

Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts

olympus-google-fonts

The easiest to customize fonts in WordPress. Optimized for Speed. 1000+ font choices. Supports Google Fonts, Adobe Fonts and Upload Fonts.

200K 3 CVEs

Custom Adobe Fonts (Typekit)

custom-typekit-fonts

100

Custom Adobe Fonts allows you to extends the fonts supports from the Abobe Fonts.

60K No CVEs

Fonts

fonts

100

Add More Font To Your WordPress Editor

9K No CVEs

Developer Profile

Fonto – Custom Web Fonts Manager Developer Profile

vlad.olaru

1 plugin · 2K total installs

trust score

Avg Security Score

70/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Fonto – Custom Web Fonts Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fonto/assets/css/admin-style.css/wp-content/plugins/fonto/assets/js/admin-script.js

Script Paths

/wp-content/plugins/fonto/assets/js/admin-script.js

Version Parameters

fonto/assets/css/admin-style.css?ver=fonto/assets/js/admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

cmb2-wrapcmb2-id-fonto-font-details

HTML Comments

Data Attributes

data-objectiddata-objecttype

JS Globals

fonto

REST Endpoints

/wp-json/fonto/

FAQ