Advanced Custom Fields: Font Awesome Field Vulnerability (Medium) -…

Advanced Custom Fields: Font Awesome Field Vulnerability (Medium) -…

by | Feb 18, 2026 | Plugins

Attack Vectors

The vulnerability (CVE-2025-14983) affects the WordPress plugin Advanced Custom Fields: Font Awesome Field (slug: advanced-custom-fields-font-awesome) in versions 5.0.1 and earlier. It is a Medium severity issue (CVSS 6.4) that requires an authenticated user with Contributor-level access or higher.

In practical terms, an attacker who can log into WordPress with at least Contributor permissions could inject malicious script content into affected fields. That script can then run in the browser of anyone who views the impacted page or content area, including administrators, editors, compliance staff, or site visitors—depending on where the field output appears.

Security Weakness

This is a stored cross-site scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping. That means unsafe content can be saved into the WordPress database and later rendered to other users without being properly cleaned or safely displayed.

Because the script is stored and executed when pages are viewed, it can be more damaging than a one-time “click a link” style attack—especially in marketing workflows where multiple stakeholders routinely preview, approve, and publish content.

Technical or Business Impacts

For leadership teams, the primary risk is not “a plugin bug”—it’s loss of trust and loss of control over digital experiences. A stored XSS issue can be used to alter what users see, add unauthorized content, or run scripts that impact customer interactions and brand perception.

Potential business impacts include brand damage (defaced pages or unexpected pop-ups), marketing performance disruption (tampered landing pages or broken analytics flows), and compliance exposure if malicious scripts lead to improper handling of user sessions or sensitive content displayed in an authenticated context.

Recommended remediation: Update Advanced Custom Fields: Font Awesome Field to version 5.0.2 or a newer patched version as soon as feasible, and review which roles have Contributor (or higher) access to publish or manage content that appears on customer-facing pages.

Similar Attacks

Stored XSS has a long track record in web platforms, including WordPress ecosystems. For context, here are a few real examples of XSS-related incidents and advisories:

WordPress 4.7.1 Security Release (XSS fixes)
CISA Alert: WordPress Plugin Vulnerability Allows Cross-Site Scripting
CVE-2019-8942 (WordPress core: authenticated stored XSS)

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers