– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1800 (metadata-based):
This vulnerability is an unauthenticated, time-based SQL injection in the Fonts Manager | Custom Fonts WordPress plugin, affecting all versions up to and including 1.2. The flaw resides in the handling of the `fmcfIdSelectedFnt` parameter, allowing attackers to execute arbitrary SQL commands. The CVSS score of 7.5 (High) reflects its network-based attack vector and high impact on confidentiality.

Atomic Edge research infers the root cause is improper neutralization of user input within an SQL command (CWE-89). The description states insufficient escaping and lack of sufficient query preparation. This strongly suggests the plugin directly interpolated the `fmcfIdSelectedFnt` parameter value into an SQL query string without using prepared statements via `$wpdb->prepare()`. These conclusions are inferred from the CWE classification and standard WordPress security practices, as no source code diff is available for confirmation.

Exploitation likely targets a public-facing WordPress AJAX handler. A common pattern is for font management plugins to expose AJAX endpoints for front-end functionality. An attacker would send a POST request to `/wp-admin/admin-ajax.php`. The `action` parameter would correspond to a hook registered by the plugin, potentially derivable from the plugin slug (e.g., `fonts_manager_custom_fonts_action`). The malicious SQL payload would be placed in the `fmcfIdSelectedFnt` parameter, using a time-based blind technique like `SLEEP(5)` to extract data incrementally.

Effective remediation requires implementing proper input validation and using WordPress’s secure database API. The fix must replace any direct variable interpolation in SQL queries with the use of `$wpdb->prepare()`. The developer should also ensure the endpoint performs proper capability checks or nonce verification to enforce authentication if required. Without the patched version, these specific changes are inferred as the necessary corrections.

The primary impact is unauthorized extraction of sensitive information from the WordPress database. Successful exploitation could allow an attacker to retrieve hashed user passwords, user emails, API keys, and other confidential data stored in plugin tables or the core `wp_users` and `wp_posts` tables. This data breach can lead to further attacks, including site takeover. The vulnerability does not directly enable privilege escalation or remote code execution.