Skip to main content

Font Awesome Field CVE-2026-49044

| EUVDEUVD-2026-32537 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-jvxm-pqmv-6427
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:11 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS.

This issue affects Advanced Custom Fields: Font Awesome Field: from n/a through 5.0.2.

AnalysisAI

Stored Cross-Site Scripting in the Advanced Custom Fields: Font Awesome Field WordPress plugin (versions through 5.0.2) allows authenticated low-privileged users to inject persistent malicious scripts into web pages viewed by other users. The changed scope (S:C in CVSS) confirms that injected payloads execute in victims' browsers, potentially enabling session hijacking, credential theft, or unauthorized admin-level actions on the WordPress site. No public exploit code has been identified at time of analysis, and SSVC classifies exploitation as none with partial technical impact.

Technical ContextAI

The Advanced Custom Fields: Font Awesome Field plugin, authored by Justin Kruit, extends the popular ACF framework for WordPress by providing a custom field type for selecting Font Awesome icons. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates the root cause: user-supplied input stored through the plugin's field interface is not properly sanitized or escaped before being rendered back into HTML pages. The Changed Scope (S:C) in the CVSS vector is characteristic of stored XSS in WordPress plugins - content entered in one security context (admin or contributor panel) is reflected into a different context (front-end or admin pages visited by other authenticated users), crossing privilege boundaries. Affected versions span from the initial release through 5.0.2 inclusive, per EUVD-2026-32537.

RemediationAI

The primary remediation is to update the Advanced Custom Fields: Font Awesome Field plugin beyond version 5.0.2. However, no exact patched release version was confirmed in the available source data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-custom-fields-font-awesome/vulnerability/wordpress-advanced-custom-fields-font-awesome-field-plugin-5-0-2-cross-site-scripting-xss-vulnerability and VulDB entry https://vuldb.com/vuln/366417 should be consulted to verify whether a patched version has been released by the vendor. If no patch is yet available, site administrators should restrict access to the affected custom field type by limiting the contributor and editor roles from creating or editing content that uses the Font Awesome Field field type, effectively preventing untrusted users from injecting input. A WordPress Web Application Firewall rule targeting stored XSS patterns in ACF field submissions can provide an additional layer of defense, though this does not eliminate the underlying flaw. Disabling the plugin entirely until a patch is confirmed is the most conservative compensating control, with the trade-off of losing Font Awesome icon selection functionality in ACF-managed content.

Share

CVE-2026-49044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy