Urgent Security Alert: SQL Injection Vulnerability in “Fonts Manager | Custom Fonts” Plugin (≤ 1.2)

Published: March 23, 2026
Severity Level: High (CVSS 9.3, CVE-2026-1800)
Impacted Versions: Plugin versions 1.2 and below
Exploit Requirement: No authentication required (unauthenticated access)

At Managed-WP, a leading US-based WordPress security authority and provider of professional Web Application Firewall (WAF) and incident response services, we are issuing an immediate security advisory concerning a critical SQL injection vulnerability in the Fonts Manager | Custom Fonts WordPress plugin.

This vulnerability allows remote attackers to inject malicious SQL via the fmcfIdSelectedFnt parameter without needing any authentication, potentially giving full control over the affected site’s database and leading to data breaches or complete site compromise.

This advisory details what the flaw entails, how to detect its exploitation attempts, urgent mitigation steps, and how Managed-WP offers robust protections that go beyond typical hosting services.

Executive Summary — What Every WordPress Site Owner Needs to Know

• An unauthenticated SQL injection flaw exists through the fmcfIdSelectedFnt HTTP parameter.
• Exploitation could lead to sensitive data disclosure, data tampering, unauthorized admin account creation, and full site takeover.
• No official patch is available at the time of disclosure for affected plugin versions (≤ 1.2).
• Urgent remediation: immediately remove or deactivate the plugin, or apply virtual patching via a WAF.
• Managed-WP customers can activate instant virtual patching rules to block attacks while planning long-term remediation.

Technical Background: Understanding the Vulnerability

This vulnerability is a classic SQL injection where unsanitized input from the fmcfIdSelectedFnt parameter is directly included in SQL queries, enabling attackers to alter database commands executed by the plugin.

• Why this is critical: Attackers can steal or modify database content, create administrator accounts, or inject malicious code without any login credentials.
• Exploit vector: Completely unauthenticated HTTP requests crafted with malicious payloads targeting the vulnerable parameter.
• Severity rating: A CVSS score of 9.3 reflects the high impact and ease of exploitation.

Potential Attack Scenarios

1. Massive data breach: Extraction of user credentials, sensitive settings, or private content.
2. Privilege escalation: Creation of rogue administrator accounts to seize site control.
3. Persistent website compromise: Insertion of backdoors, manipulated settings, or malicious content for long-term control.
4. Automated widespread exploitation: Attackers scanning and attacking multiple vulnerable sites simultaneously.

Immediate assumption: any active instance of this plugin should be treated as compromised unless mitigated.

Detection Tips: What to Monitor

Security teams and hosting providers should watch for these indicative signs:

• HTTP requests containing unusual or suspect characters in fmcfIdSelectedFnt parameters.
• Repeated 4xx or 5xx HTTP responses from the plugin’s endpoints.
• Database errors referencing SQL syntax in logs immediately after plugin endpoint calls.
• Unexpected creation of admin users or changes in post entries after suspicious requests.
• Outbound connections originating from the application server to unknown IPs.

Example suspicious log entry snippet:

[access-log] 192.0.2.123 - - [23/Mar/2026:10:04:12 +0000] "GET /wp-admin/admin-ajax.php?action=fmcf_action&fmcfIdSelectedFnt=... HTTP/1.1" 200 512 "-" "Mozilla/5.0"
[error-log] PHP Warning:  mysqli::query(): (23000/1064): You have an error in your SQL syntax... in /wp-content/plugins/fonts-manager-custom-fonts/includes/class-db.php on line 128

Immediate Steps to Protect Your Site (Within 1-2 Hours)

1. Inventory: Identify all sites running the Fonts Manager | Custom Fonts plugin, version 1.2 or earlier.
2. Isolation: Temporarily put affected sites into maintenance mode if possible.
3. Remove or disable: If no patched update exists, uninstall or deactivate the plugin immediately.
4. Virtual patching: Where plugin removal is not feasible, implement WAF rules to block suspicious input patterns on fmcfIdSelectedFnt.
5. Credential review: Rotate all admin, FTP, database, and related passwords if compromise is suspected.
6. Scan for Indicators: Check logs, database users, scheduled tasks, and file system for signs of intrusion.

Guidance on WAF Virtual Patching

Virtual patching in your WAF is a critical interim control that can block exploit attempts even without updating or removing the plugin:

• Block any unauthenticated request where fmcfIdSelectedFnt contains SQL meta-characters such as quotes, semicolons, or SQL keywords like UNION, SELECT, DROP, etc.
• Restrict access to plugin endpoints intended only for administrators via IP whitelisting or authentication checks.
• Rate-limit requests to avoid brute-force or scanning attempts.
• Monitor and block responses revealing database errors.

Note: These rules are temporary shields—removing or upgrading the plugin to a patched version remains essential once available.

Indicators of Compromise (IoCs) to Watch For

• Unexpected HTTP requests containing fmcfIdSelectedFnt with suspicious payloads.
• Database error logs immediately following plugin endpoint activity.
• Unrecognized new admin users or changes in wp_usermeta and wp_users tables.
• New or modified PHP files in WordPress directories, especially obfuscated or encoded backdoors.
• Unexpected cron jobs or scheduled tasks.
• Unusual outbound network traffic.

Incident Response Checklist

1. Isolate affected sites: Turn on maintenance mode and limit public access.
2. Preserve logs & files: Collect logs, database snapshots, and filesystem backups for forensics.
3. Remove vulnerability source: Uninstall or disable the vulnerable plugin immediately.
4. Apply WAF mitigations: Implement virtual patches blocking malicious inputs.
5. Clean and recover: Remove web shells, unauthorized accounts, and malicious changes; restore from backups.
6. Update and harden: Keep plugins, themes, and WordPress core patched; enable MFA and restrict access.
7. Post-incident review: Analyze root cause, update security policies, and subscribe to monitoring services.

Best Practices for Hardening Your WordPress Site

• Maintain up-to-date WordPress core, themes, and plugins.
• Use only essential, actively maintained plugins.
• Enforce strong passwords and multi-factor authentication for all accounts.
• Apply least privilege principles to database users.
• Restrict access to admin areas by IP or additional authentication mechanisms.
• Use file integrity monitoring and routine malware scanning.
• Maintain and regularly test offsite backups.
• Employ a professional WAF with virtual patching capabilities.
• Continuously monitor logs and threat intelligence feeds.

How Managed-WP Protects Your WordPress Site

Managed-WP employs a multi-layered defense strategy designed to protect WordPress environments from the latest threats:

1. Expert-curated WAF rules and virtual patches: We deploy immediate protections against known vulnerabilities—including CVE-2026-1800—without waiting on vendor patches.
2. Real-time threat blocking: Automated scanners, exploit attempts, and brute-force attacks are actively blocked and rate-limited.
3. Continuous vulnerability scanning and alerts: Get actionable notifications the moment your sites are at risk.
4. Incident response and remediation: Our security experts assist with containment, cleanup, and recovery planning as needed.
5. Ongoing security hygiene and reporting: Monthly vulnerability overviews, reporting, and best practices help keep your sites secure long-term.

Virtual patching provides critical risk reduction while permanent fixes are developed and deployed, buying you valuable time against zero-day exploits.

FAQs

Should I delete or just deactivate the plugin?
If immediate removal disrupts business-critical functionality, temporarily deactivate the plugin and apply virtual patching. However, full removal and replacement are strongly recommended when feasible.

What if a vendor patch is later released?
Test patches in a staging environment prior to production deployment. Scan your site thoroughly post-update for any signs of residual compromise.

Are backups safe if taken while the vulnerable plugin was active?
Possibly not—malicious changes may reside in those backups. Always run integrity scans and validate backups before restores.

Summary Checklist for Immediate Action

• Identify all sites running affected plugin versions (≤ 1.2).
• Disable or uninstall the vulnerable plugin, or if unavoidable, apply WAF virtual patching.
• Implement blocking rules for suspicious fmcfIdSelectedFnt input patterns.
• Monitor logs for suspicious activities and SQL errors.
• Search for unauthorized admin users and anomalies in plugins, files, and scheduled tasks.
• Rotate all credentials if compromise is suspected.
• Backup logs and data for forensics if needed.
• Subscribe to security updates and apply patches as soon as they become available.

Managed-WP’s Free Basic Plan — Rapid Baseline Protection

If you want immediate, no-cost baseline security while assessing and planning remediation, Managed-WP’s Basic plan offers:

• Managed WAF with tuned rules blocking common attack vectors including zero-day threats.
• Unlimited bandwidth to sustain protection regardless of attack scale.
• Automated malware scanning to detect suspicious files and behaviors.
• Mitigations for OWASP Top 10 vulnerabilities to reduce overall risk.

Sign up now for fast deployment of baseline protections:
https://managed-wp.com/pricing

Final Notes

This advisory from Managed-WP is intended to help WordPress administrators take decisive and effective action against a high-impact vulnerability. By promptly applying mitigation steps and leveraging industry-leading security services, you can protect your sites and customers from severe damage.

If you require assistance, Managed-WP provides professional incident response and continuous protection designed to keep your WordPress environments safe, compliant, and resilient.

References for Further Reading:
– CVE Details: CVE-2026-1800
– OWASP SQL Injection Prevention Cheat Sheet
– WordPress Plugin Security Best Practices

Take Proactive Action — Secure Your Site with Managed-WP

Don’t risk your business or reputation due to overlooked plugin flaws or weak permissions. Managed-WP provides robust Web Application Firewall (WAF) protection, tailored vulnerability response, and hands-on remediation for WordPress security that goes far beyond standard hosting services.​

Exclusive Offer for Blog Readers: Access our MWPv1r1 protection plan—industry-grade security starting from just USD20/month.

• Automated virtual patching and advanced role-based traffic filtering
• Personalized onboarding and step-by-step site security checklist
• Real-time monitoring, incident alerts, and priority remediation support
• Actionable best-practice guides for secrets management and role hardening

Get Started Easily — Secure Your Site for USD20/month:
Protect My Site with Managed-WP MWPv1r1 Plan

Why trust Managed-WP?

• Immediate coverage against newly discovered plugin and theme vulnerabilities
• Custom WAF rules and instant virtual patching for high-risk scenarios
• Concierge onboarding, expert remediation, and best-practice advice whenever you need it

Don’t wait for the next security breach. Safeguard your WordPress site and reputation with Managed-WP—the choice for businesses serious about security.

Click above to start your protection today (MWPv1r1 plan, USD20/month).
https://managed-wp.com/pricing