CVE-2025-31578: 
WordPress vulnerability analysis and mitigation

The Fonts Manager | Custom Fonts WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 1.2. The vulnerability was discovered by Abdi Pranata and publicly disclosed on April 1, 2025 (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (WPScan).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users access affected pages. The scripts could be used for various malicious purposes including redirects, injecting advertisements, or executing other malicious HTML payloads on the target website (Patchstack).

Currently, there is no official fix available for this vulnerability as the software appears to be abandoned. The recommended mitigation is to remove and replace the plugin with an alternative solution. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).