Does Use Any Font | Custom Font Uploader have any unpatched vulnerabilities?

No. All known vulnerabilities in Use Any Font | Custom Font Uploader have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Use Any Font | Custom Font Uploader compatible with WordPress 6.9.4?

According to WordPress.org data, Use Any Font | Custom Font Uploader 6.3.14 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Use Any Font | Custom Font Uploader compatible with PHP 7.0+?

Use Any Font | Custom Font Uploader requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Use Any Font | Custom Font Uploader updated?

Use Any Font | Custom Font Uploader was last updated on Dec 20, 2025. Frequent updates are generally a positive security signal.

What is Use Any Font | Custom Font Uploader's security score?

Use Any Font | Custom Font Uploader has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Use Any Font | Custom Font Uploader Security & Risk Analysis

wordpress.org/plugins/use-any-font

Upload custom fonts with custom font uploader. Auto converts to woff2 for better performance. Self-hosted, GDPR compliant, and easy custom font plugin

200K active installs v6.3.14 PHP 7.0+ WP 4.0+ Updated Dec 20, 2025

custom-fontsfont-managerfont-uploadergoogle-fontstypography

A · Safe

CVEs total4

Unpatched0

Last CVESep 25, 2024

Plugin page Download

Safety Verdict

Is Use Any Font | Custom Font Uploader Safe to Use in 2026?

Generally Safe

Score 97/100

Use Any Font | Custom Font Uploader has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Sep 25, 2024Updated 3mo ago

Risk Assessment

The "use-any-font" plugin v6.3.14 presents a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and has a high percentage of properly escaped outputs. The absence of dangerous functions and bundled libraries is also a strength. However, a significant concern arises from the attack surface analysis, which reveals one AJAX handler without any authentication checks. This represents a direct entry point for potential exploitation.

Taint analysis indicates two flows with unsanitized paths, though thankfully, these did not escalate to critical or high severity issues. While the current version has no unpatched CVEs, the plugin's history of four medium-severity vulnerabilities, including Cross-site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Missing Authorization, is a strong indicator of past security weaknesses. The recent nature of the last vulnerability (September 2024) suggests ongoing attention to security is required.

In conclusion, while the plugin has made strides in secure coding practices like prepared statements and output escaping, the presence of an unprotected AJAX endpoint and a history of past vulnerabilities necessitate caution. The potential for exploitation via the unprotected AJAX handler and the historical patterns of common web vulnerabilities suggest that ongoing vigilance and regular updates are crucial for maintaining security.

Key Concerns

AJAX handler without authentication check
Flows with unsanitized paths found
History of 4 medium severity CVEs

Vulnerabilities

Use Any Font | Custom Font Uploader Security Vulnerabilities

CVEs by Year

3 CVEs in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2024-47305medium · 4.3Cross-Site Request Forgery (CSRF)

Use Any Font <= 6.3.08 - Cross-Site Request Forgery

Sep 25, 2024 Patched in 6.3.09 (8d)

WF-58884dcb-dad3-4856-aa54-c5b769d4f9e1-use-any-fontmedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Use Any Font | Custom Font Uploader <= 6.2.7 - Cross-Site Scripting

May 10, 2022 Patched in 6.2.8 (623d)

CVE-2022-27851medium · 5.4Cross-Site Request Forgery (CSRF)

Use Any Font <= 6.1.7 - Cross-Site Request Forgery to API Key Deactivation

Mar 30, 2022 Patched in 6.1.8 (663d)

CVE-2021-24977medium · 6.1Missing Authorization

Use Any Font <= 6.2.0 - Unauthenticated Arbitrary CSS Appending

Jan 31, 2022 Patched in 6.2.1 (722d)

Code Analysis

Analyzed Mar 16, 2026

Use Any Font | Custom Font Uploader Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

126 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

91% escaped139 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

uaf_api_key_activate (includes\functions\uaf_admin_functions.php:52)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Use Any Font | Custom Font Uploader Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_uaf_predefined_font_interfaceuse-any-font.php:30

WordPress Hooks 26

filtermce_buttons_2includes\functions\uaf_editor_functions.php:6

filtertiny_mce_before_initincludes\functions\uaf_editor_functions.php:7

filteret_websafe_fontsincludes\functions\uaf_editor_functions.php:30

filtersiteorigin_widgets_font_familiesincludes\functions\uaf_editor_functions.php:56

filterx_fonts_dataincludes\functions\uaf_editor_functions.php:89

actionelementor/controls/controls_registeredincludes\functions\uaf_editor_functions.php:120

filterfl_theme_system_fontsincludes\functions\uaf_editor_functions.php:123

filterfl_builder_font_families_systemincludes\functions\uaf_editor_functions.php:124

filterthemify_get_web_safe_font_listincludes\functions\uaf_editor_functions.php:150

filtergenerate_typography_default_fontsincludes\functions\uaf_editor_functions.php:166

actionastra_customizer_font_listincludes\functions\uaf_editor_functions.php:172

actionct_builder_ng_initincludes\functions\uaf_editor_functions.php:194

filterkirki/fonts/standard_fontsincludes\functions\uaf_editor_functions.php:203

filterrevslider_data_get_font_familysincludes\functions\uaf_editor_functions.php:220

filtervc_google_fonts_get_fonts_filterincludes\functions\uaf_editor_functions.php:237

filterpresscore_options_get_safe_fontsincludes\functions\uaf_editor_functions.php:255

filterkadence_blocks_add_custom_fontsincludes\functions\uaf_editor_functions.php:294

filterkadence_theme_add_custom_fontsincludes\functions\uaf_editor_functions.php:295

filterbricks/builder/standard_fontsincludes\functions\uaf_editor_functions.php:302

filterneve_react_controls_localizationincludes\functions\uaf_editor_functions.php:327

actioninituse-any-font.php:22

actionadmin_menuuse-any-font.php:23

actionadmin_enqueue_scriptsuse-any-font.php:24

actionwp_enqueue_scriptsuse-any-font.php:25

actionadmin_noticesuse-any-font.php:26

actionafter_switch_themeuse-any-font.php:28

Maintenance & Trust

Use Any Font | Custom Font Uploader Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 20, 2025

PHP min version7.0

Downloads7.2M

Community Trust

Rating94/100

Number of ratings1,143

Active installs200K

Alternatives

Use Any Font | Custom Font Uploader Alternatives

Fontify

fontify

100

Upload and apply custom fonts (WOFF or WOFF2) to your entire WordPress site, including admin panel — without writing code.

20 No CVEs

SafeFonts

safefonts

100

Host custom fonts locally in WordPress with advanced security validation, block editor integration, and CSS variables support.

20 No CVEs

Custom Fonts – Host Your Fonts Locally

custom-fonts

Custom Fonts is a powerful WordPress plugin that allows you to upload your own custom fonts or choose from a vast collection of Google Fonts, all host …

300K 2 CVEs

Fonts Plugin | Use Google Fonts, Adobe Fonts or Upload Fonts

olympus-google-fonts

The easiest to customize fonts in WordPress. Optimized for Speed. 1000+ font choices. Supports Google Fonts, Adobe Fonts and Upload Fonts.

200K 3 CVEs

Easy Google Fonts

easy-google-fonts

Adds google fonts to any theme without coding and integrates with the WordPress Customizer automatically for a realtime live preview.

100K No CVEs

Developer Profile

Use Any Font | Custom Font Uploader Developer Profile

Dnesscarkey

5 plugins · 535K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

474 days

View full developer profile

Detection Fingerprints

How We Detect Use Any Font | Custom Font Uploader

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/use-any-font/assets/css/uaf_admin.css/wp-content/plugins/use-any-font/assets/js/uaf_admin.js

Script Paths

/wp-content/plugins/use-any-font/assets/js/uaf_admin.js

Version Parameters

use-any-font/assets/css/uaf_admin.css?ver=use-any-font/assets/js/uaf_admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

uaf_main_contentuaf_upload_fileuaf_upload_button

HTML Comments

+5 more

Data Attributes

data-uaf-tab

JS Globals

uaf_server_url

FAQ