– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14351:
This vulnerability is a Missing Authorization flaw in the Custom Fonts WordPress plugin. It allows unauthenticated attackers to trigger a font directory deletion and theme.json rewrite, leading to data loss. The vulnerability affects all plugin versions up to and including 2.1.16.

Atomic Edge research identifies the root cause in the `__construct` method of the `BCF_Google_Fonts_Compatibility` class. The constructor executed destructive file system operations without any capability or nonce verification. The vulnerable code path is in the file `custom-fonts/includes/class-bcf-google-fonts-compatibility.php`. The constructor ran on every page load, checking for the `page` GET parameter matching `BSF_CUSTOM_FONTS_ADMIN_PAGE`. If this condition passed, the method proceeded to delete the fonts folder and call `self::delete_all_theme_font_family()`.

Exploitation requires an attacker to send a single HTTP GET request to any WordPress page where the plugin is active. The request must include the query parameter `page` set to `bsf-custom-fonts`. No authentication, nonce, or other parameters are required. The attack vector is low-complexity, as the vulnerable code triggers immediately upon meeting the condition in the constructor.

The patch in version 2.1.17 restructures the logic. The destructive operations are moved from the constructor to a new method, `maybe_rebuild_fonts()`. This method is hooked to `admin_init`. The patch adds three critical security checks. It verifies the new `bcf_rebuild_fonts` GET parameter, checks the user capability with `current_user_can(‘manage_options’)`, and validates a nonce with `wp_verify_nonce`. The patch also adds a safe redirect after the operation. The before behavior allowed unauthenticated triggering. The after behavior restricts the function to authenticated administrators with a valid nonce.

Successful exploitation results in unauthorized data loss. The `bcf_filesystem()` call deletes the entire `wp-content/uploads/bsf-custom-fonts/` directory. The `self::delete_all_theme_font_family()` and `update_fse_theme_json()` methods modify or delete the active theme’s `theme.json` file. This can break site appearance and functionality, requiring restoration from backups.