CVE-2026-1800 is a critical SQL Injection vulnerability identified in the Fonts Manager | Custom Fonts plugin for WordPress developed by wisdomlogix. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) due to insufficient escaping and lack of prepared statements when handling the 'fmcfIdSelectedFnt' parameter. This parameter is user-supplied and not properly sanitized, allowing attackers to inject arbitrary SQL code. The attack is time-based, meaning attackers can infer data by measuring response times, enabling extraction of sensitive information from the backend database. The vulnerability affects all versions up to and including 1.2 of the plugin. It requires no authentication or user interaction, making it exploitable remotely over the network. The CVSS 3.1 base score is 7.5, reflecting high confidentiality impact but no impact on integrity or availability. No patches have been published yet, and no known exploits are reported in the wild. The vulnerability was reserved in early February 2026 and published in March 2026. The plugin is used within WordPress environments, which are widely deployed globally, increasing the potential attack surface. The root cause is the failure to use parameterized queries or adequate input validation, which is a common and critical security flaw in web applications.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored in the WordPress database, which may include user credentials, personal data, or configuration details. Since the attack vector is network-based and requires no authentication, any exposed WordPress site running the vulnerable plugin is at risk of data leakage. This can lead to privacy violations, compliance breaches, and potential further exploitation if attackers gain insights into the system architecture or credentials. The lack of impact on integrity and availability means the database content is not directly modified or destroyed, but confidentiality compromise alone can have severe consequences. Organizations relying on this plugin may face reputational damage, legal liabilities, and operational disruptions if sensitive data is exfiltrated. The widespread use of WordPress and the plugin increases the scale of potential victims globally. Although no active exploitation is reported, the vulnerability's simplicity and severity make it a likely target for attackers once exploit code becomes available.

To mitigate this vulnerability, organizations should immediately audit their WordPress installations for the presence of the Fonts Manager | Custom Fonts plugin and its version. Since no official patch is currently available, temporary mitigations include disabling or uninstalling the plugin until a fix is released. Developers or site administrators should implement input validation and sanitization on the 'fmcfIdSelectedFnt' parameter, ensuring it only accepts expected values and rejects malicious input. Employing prepared statements or parameterized queries in the plugin's database interactions is critical to prevent SQL injection. Web application firewalls (WAFs) can be configured to detect and block suspicious SQL injection patterns targeting this parameter. Monitoring database logs and web server access logs for unusual query patterns or time delays can help detect exploitation attempts. Additionally, restricting database user permissions to the minimum necessary can limit the impact of any successful injection. Organizations should stay alert for official patches from wisdomlogix and apply them promptly once available.