WP-Safety

Web Fonts Security & Risk Analysis

wordpress.org/plugins/web-fonts

Start using web fonts on your site today! Support for web fonts from Fonts.com and Google Web Fonts is included.

200 active installs v1.1.6 PHP + WP 3.3+ Updated Aug 26, 2013
content-displayfontstheme-enhancementwebfonts
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Web Fonts Safe to Use in 2026?

Generally Safe

Score 85/100

Web Fonts has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The "web-fonts" plugin v1.1.6 presents a generally good security posture based on the provided static analysis and vulnerability history. The absence of known CVEs and the plugin's adherence to using prepared statements for SQL queries are strong indicators of diligent development practices. Furthermore, the lack of taint analysis findings with unsanitized paths, critical or high severity, suggests that common injection vulnerabilities are not present.

However, there are areas for improvement. A significant concern is the low percentage of properly escaped output (31%), which can leave the plugin vulnerable to Cross-Site Scripting (XSS) attacks if user-supplied data is not adequately sanitized before being displayed. While the plugin has nonce checks on some AJAX handlers, the lack of capability checks on any of its AJAX handlers is a notable weakness, potentially allowing unauthenticated users to trigger actions they shouldn't have access to. The overall attack surface is moderate with 14 AJAX handlers, and the complete absence of capability checks on these is a risk.

In conclusion, the plugin's strengths lie in its SQL handling and lack of historical vulnerabilities. The primary weaknesses are the poor output escaping and the potential for unauthorized actions via AJAX due to missing capability checks. Addressing these specific areas would significantly improve the plugin's security.

Key Concerns

  • Low percentage of properly escaped output
  • No capability checks on AJAX handlers
Vulnerabilities
None known

Web Fonts Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Web Fonts Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
11
5 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

31% escaped16 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
ajax_container (modules\fonts-com\fonts-com.php:70)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Web Fonts Attack Surface

Entry Points14
Unprotected0

AJAX Handlers 14

authwp_ajax_web_fonts_fonts_com_clear_active_projectmodules\fonts-com\fonts-com.php:52
authwp_ajax_web_fonts_fonts_com_clear_keymodules\fonts-com\fonts-com.php:53
authwp_ajax_web_fonts_fonts_com_create_accountmodules\fonts-com\fonts-com.php:54
authwp_ajax_web_fonts_fonts_com_get_fontsmodules\fonts-com\fonts-com.php:55
authwp_ajax_web_fonts_fonts_com_get_project_datamodules\fonts-com\fonts-com.php:56
authwp_ajax_web_fonts_fonts_com_save_project_settingsmodules\fonts-com\fonts-com.php:57
authwp_ajax_web_fonts_fonts_com_set_embed_methodmodules\fonts-com\fonts-com.php:58
authwp_ajax_web_fonts_fonts_com_set_font_statusmodules\fonts-com\fonts-com.php:59
authwp_ajax_web_fonts_fonts_com_validate_email_passwordmodules\fonts-com\fonts-com.php:60
authwp_ajax_web_fonts_fonts_com_validate_keymodules\fonts-com\fonts-com.php:61
authwp_ajax_web_fonts_google_web_fonts_clear_keymodules\google-web-fonts\google-web-fonts.php:52
authwp_ajax_web_fonts_google_web_fonts_set_keymodules\google-web-fonts\google-web-fonts.php:53
authwp_ajax_web_fonts_google_web_fonts_get_fontsmodules\google-web-fonts\google-web-fonts.php:55
authwp_ajax_web_fonts_google_web_fonts_set_font_statusmodules\google-web-fonts\google-web-fonts.php:56
WordPress Hooks 15
actionadmin_enqueue_scriptsmodules\fonts-com\fonts-com.php:43
actionadmin_enqueue_scriptsmodules\fonts-com\fonts-com.php:44
actionweb_fonts_manage_stylesheet_fontsmodules\fonts-com\fonts-com.php:45
actionweb_fonts_manage_stylesheet_selectorsmodules\fonts-com\fonts-com.php:46
actionwp_headmodules\fonts-com\fonts-com.php:48
actionwp_headmodules\fonts-com\fonts-com.php:49
filterweb_fonts_manage_stylesheet_fonts_and_selectorsmodules\fonts-com\fonts-com.php:65
actionadmin_enqueue_scriptsmodules\google-web-fonts\google-web-fonts.php:44
actionweb_fonts_manage_stylesheet_fontsmodules\google-web-fonts\google-web-fonts.php:45
actionweb_fonts_manage_stylesheet_selectorsmodules\google-web-fonts\google-web-fonts.php:46
actionwp_headmodules\google-web-fonts\google-web-fonts.php:48
actionwp_headmodules\google-web-fonts\google-web-fonts.php:49
filterweb_fonts_manage_stylesheet_fonts_and_selectorsmodules\google-web-fonts\google-web-fonts.php:60
actionadmin_enqueue_scriptsweb-fonts.php:39
actionadmin_menuweb-fonts.php:40
Maintenance & Trust

Web Fonts Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1
Last updatedAug 26, 2013
PHP min version
Downloads42K

Community Trust

Rating46/100
Number of ratings8
Active installs200
Alternatives

Web Fonts Alternatives

Easy Google Fonts

Easy Google Fonts

easy-google-fonts

A
85

Adds google fonts to any theme without coding and integrates with the WordPress Customizer automatically for a realtime live preview.

100K No CVEs
TypeSquare Webfonts for エックスサーバー

TypeSquare Webfonts for エックスサーバー

xserver-typesquare-webfonts

A
99

エックスサーバー株式会社が提供する各レンタルサーバーサービスでWebフォントを利用できるプラグインです。

100K 1 CVE
TypeSquare Webfonts for ConoHa

TypeSquare Webfonts for ConoHa

ts-webfonts-for-conoha

A
85

ConoHa WINGで株式会社モリサワが提供するWebフォントサービス「TypeSquare」を利用できるプラグインです。

10K 1 CVE
Icons Font Loader – Load Web Fonts and Icon Libraries

Icons Font Loader – Load Web Fonts and Icon Libraries

icons-font-loader

A
98

Load essential Flaticon webfonts into your WordPress site. Use icons anywhere on your site with simple integration, ensuring fast performance.

2K 3 CVEs
Dehkadeh Fonts

Dehkadeh Fonts

dehkadeh-fonts

A
85

This plugin help you to set persian fonts and size for different parts of the theme via wordpress customizer as easily. Also you can set the custom fo …

1K No CVEs
Developer Profile

Web Fonts Developer Profile

nickohrn

12 plugins · 760 total installs

84
trust score
Avg Security Score
86/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Web Fonts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/web-fonts/css/backend-common.css/wp-content/plugins/web-fonts/css/backend-fonts-com.css/wp-content/plugins/web-fonts/css/frontend-common.css/wp-content/plugins/web-fonts/css/frontend-fonts-com.css/wp-content/plugins/web-fonts/js/backend-common.js/wp-content/plugins/web-fonts/js/backend-fonts-com.js/wp-content/plugins/web-fonts/js/frontend-common.js/wp-content/plugins/web-fonts/js/frontend-fonts-com.js
Version Parameters
web-fonts/css/backend-common.css?ver=web-fonts/css/backend-fonts-com.css?ver=web-fonts/css/frontend-common.css?ver=web-fonts/css/frontend-fonts-com.css?ver=web-fonts/js/backend-common.js?ver=web-fonts/js/backend-fonts-com.js?ver=web-fonts/js/frontend-common.js?ver=web-fonts/js/frontend-fonts-com.js?ver=

HTML / DOM Fingerprints

CSS Classes
fonts-com-setup-new-cancelfonts-com-settings-pagefonts-com-project-settingsfonts-com-add-projectfonts-com-view-projectfonts-com-view-all-projectsfonts-com-edit-projectfonts-com-login-required+1 more
Data Attributes
data-fonts-com-settings
JS Globals
WebFonts
REST Endpoints
/wp-json/web-fonts-fonts-com/
FAQ

Frequently Asked Questions about Web Fonts