CVE-2026-1800 in Fonts Manager Plugin
Summary
by MITRE • 03/21/2026
The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘fmcfIdSelectedFnt’ parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-1800 affects the Fonts Manager | Custom Fonts plugin for WordPress, specifically impacting versions through 1.2. This represents a critical security flaw that undermines the integrity of WordPress installations relying on this plugin. The vulnerability stems from inadequate input validation and sanitization practices within the plugin's codebase, creating an exploitable pathway for malicious actors to manipulate database queries through crafted input parameters.
The technical flaw manifests through the 'fmcfIdSelectedFnt' parameter which fails to undergo proper escaping before being incorporated into SQL queries. This parameter serves as the attack vector for time-based SQL injection, where an attacker can manipulate the parameter to inject malicious SQL code that executes within the database context. The vulnerability is classified as time-based because the attacker can infer information from the database by measuring response times, as the injected SQL commands cause delays in query execution when certain conditions are met. This particular weakness aligns with CWE-89 which specifically addresses SQL injection vulnerabilities and CWE-770 which covers improper resource management in security contexts.
The operational impact of this vulnerability is severe as it allows unauthenticated attackers to extract sensitive information from the WordPress database without requiring any prior authentication credentials. This includes but is not limited to user credentials, configuration data, plugin settings, and potentially other sensitive information stored within the database. The lack of proper input validation means that an attacker can construct malicious payloads that, when processed by the vulnerable plugin, result in unauthorized data access and potential system compromise. The vulnerability affects all users regardless of their authentication status, making it particularly dangerous in environments where the plugin is actively used.
From a threat modeling perspective, this vulnerability maps to several ATT&CK techniques including T1190 for exploitation of vulnerabilities, T1071.004 for application layer protocol usage, and T1005 for data from local system. The attack surface is broad as the vulnerability exists in a widely used WordPress plugin, making it attractive to automated exploitation tools and malicious actors seeking to compromise WordPress installations. Organizations running vulnerable versions of this plugin face significant risk of data breaches, unauthorized access to user accounts, and potential complete system compromise. The time-based nature of the injection allows for stealthy reconnaissance activities where attackers can gather information without immediately triggering security alerts.
Mitigation strategies should prioritize immediate patching of the plugin to version 1.3 or later, which contains the necessary security fixes. Until patching is complete, administrators should consider implementing web application firewalls to block suspicious SQL injection patterns and monitor database logs for unusual query patterns. Input validation should be strengthened through proper escaping and parameterized queries to prevent similar issues in the future. Security monitoring should include detection of time-based SQL injection attempts and regular vulnerability scanning of WordPress installations to identify other potentially vulnerable plugins or components. The remediation process should also involve reviewing other plugins for similar vulnerabilities and ensuring that all WordPress installations maintain current security practices and regular updates to prevent future exploitation attempts.