Attack Vectors
Fonts Manager | Custom Fonts (slug: fonts-manager-custom-fonts) is affected by a High severity vulnerability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) tracked as CVE-2026-1800. Because the issue is unauthenticated, an attacker does not need a login, and no user interaction is required.
The reported attack path is via the fmcfIdSelectedFnt parameter. Attackers can probe public-facing endpoints and use time-based techniques to infer database information, which can be performed quietly over time and scaled across many sites.
Security Weakness
The plugin is vulnerable to time-based SQL injection in versions up to and including 1.2, due to insufficient escaping of user-supplied input and lack of sufficient preparation in an existing SQL query involving the fmcfIdSelectedFnt parameter.
As described in the advisory, this weakness can allow an unauthenticated attacker to append malicious SQL to existing queries and extract sensitive information from the WordPress database. Source: Wordfence vulnerability record.
Remediation status: there is no known patch available at this time. Organizations should evaluate mitigations based on risk tolerance; in many cases, the safest option is to uninstall the affected plugin and replace it with a maintained alternative.
Technical or Business Impacts
This vulnerability’s primary risk is confidentiality loss (CVSS indicates high impact to data exposure). If exploited, attackers may be able to extract data stored in the WordPress database. Depending on what your site stores, this can include business-critical content, internal user details, customer records, order metadata, API keys, or other sensitive configuration information.
For marketing leaders and executives, the business consequences can include brand damage (loss of customer trust), regulatory and contractual exposure (privacy obligations, vendor security addendums), and incident response costs (forensics, legal review, customer communications, and accelerated re-platforming). Because the attack is unauthenticated and can be automated, the likelihood of opportunistic scanning and exploitation attempts is elevated for any internet-accessible site running the affected versions.
Risk-reduction actions to consider immediately (given no known patch): remove/disable Fonts Manager | Custom Fonts where feasible; restrict public access to any endpoints that accept the vulnerable parameter (e.g., via WAF rules or server-side request filtering); review database permissions to ensure the WordPress database user has least-privilege access; increase monitoring for unusual database/query patterns and suspicious request parameters; and validate what sensitive data is stored in WordPress to understand worst-case exposure.
Similar Attacks
SQL injection has a long track record of leading to major data exposure and reputational harm. A few notable examples include:
TalkTalk (2015) – attack linked to SQL injection exposure reported publicly
Heartland Payment Systems (2008) – U.S. DOJ case tied to a major payment data breach
OWASP – background on SQL Injection and why it remains a common web attack
Recent Comments