CVE-2026-49044
Deferred Deferred - Pending Action
Stored XSS in Advanced Custom Fields Font Awesome Field

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Advanced Custom Fields: Font Awesome Field: from n/a through 5.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-49044
EUVD
EUVD-2026-32537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
justin_kruit advanced_custom_fields_font_awesome_field to 5.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-site Scripting (XSS) issue found in the Justin Kruit Advanced Custom Fields: Font Awesome Field plugin. It occurs due to improper neutralization of input during web page generation, which means that malicious input can be stored and later executed in the context of a user's browser.

Impact Analysis

The vulnerability can allow an attacker with low privileges to execute malicious scripts in the context of other users, potentially leading to data theft, session hijacking, or other malicious actions. The CVSS score indicates it can impact confidentiality, integrity, and availability.

Compliance Impact

The provided information does not specify how the Cross-site Scripting (XSS) vulnerability in the Advanced Custom Fields: Font Awesome Field plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves stored Cross Site Scripting (XSS) in the Advanced Custom Fields: Font Awesome Field plugin for WordPress. Detection typically involves identifying malicious script injections in the web pages generated by the plugin.

Since the vulnerability requires a privileged user to trigger it, monitoring for unusual input submissions or suspicious user activity in the plugin's input fields can help detect exploitation attempts.

No specific detection commands or tools are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the affected plugin to a non-vulnerable version once available.

Since no official patch is currently available, it is recommended to seek assistance from your hosting provider or a web developer to implement temporary protective measures.

Additionally, restrict privileged user actions and monitor for suspicious activity to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49044. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart