PT-2026-41276 · WordPress · Advanced Custom Fields: Font Awesome Field

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-6415

CVSS v3.1

6.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Advanced Custom Fields: Font Awesome versions prior to 5.0.3
Description The Advanced Custom Fields: Font Awesome plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because of insufficient input validation of JSON field values and unsafe client-side HTML construction within the update preview() JavaScript function. Authenticated attackers with Subscriber-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page.
Recommendations Update the plugin to a version later than 5.0.2.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6415

Affected Products

Advanced Custom Fields: Font Awesome Field