CVE-2025-14983
Cross-Site Scripting in Advanced Custom Fields Font Awesome Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advanced_custom_fields | font_awesome_field | 5.0.2 |
| advanced_custom_fields | font_awesome_field | to 5.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting (XSS) in all versions up to and including 5.0.1. This vulnerability arises due to insufficient input sanitization and output escaping.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts that execute in the browsers of other users who view the affected content.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into the website.
These scripts can execute in the browsers of other users, potentially leading to theft of sensitive information, session hijacking, defacement of the website, or distribution of malware.
Because the vulnerability is a Cross-Site Scripting (XSS) flaw, it can undermine the trustworthiness and security of the affected WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the Advanced Custom Fields: Font Awesome Field plugin for WordPress is a Cross-Site Scripting (XSS) issue exploitable by authenticated users with Contributor-level access or higher. Detection involves identifying if the vulnerable plugin version (up to and including 5.0.1) is installed and if there are any suspicious scripts injected via the plugin's input fields.
Since the vulnerability arises from insufficient input sanitization and output escaping, detection can include checking for unusual or malicious script tags or JavaScript code in fields managed by the plugin.
Specific commands or tools are not provided in the available resources. However, general detection steps could include:
- Checking the installed plugin version to confirm if it is 5.0.1 or earlier.
- Using WordPress CLI commands to list installed plugins and their versions, e.g., `wp plugin list`.
- Searching the WordPress database for suspicious script tags or JavaScript code in fields related to Advanced Custom Fields Font Awesome, for example by querying the `wp_postmeta` table for meta keys related to the plugin.
- Monitoring web traffic for unusual script execution or injection attempts targeting the plugin's fields.
No explicit detection commands or scripts are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Cross-Site Scripting vulnerability in the Advanced Custom Fields: Font Awesome Field plugin, immediate steps include:
- Update the plugin to version 5.0.2 or later, where security enhancements and output escaping improvements have been implemented to prevent XSS attacks.
- Restrict Contributor-level and higher user permissions to trusted users only, minimizing the risk of malicious script injection.
- Review and sanitize any existing content or inputs managed by the plugin to remove potentially malicious scripts.
- Apply security best practices such as using Web Application Firewalls (WAFs) to detect and block XSS attempts.
The plugin update (version 5.0.2) includes changes replacing unsafe output functions with safer alternatives like `wp_kses_post()`, `esc_html_e()`, and `esc_attr()` to properly escape HTML and attributes, thereby mitigating the vulnerability.