CVE-2025-14983

Vulnerability

Overview The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) in all versions up to and including 5.0.1. The root cause is insufficient input sanitization and output escaping in the plugin's field rendering logic, specifically within the acf-font-awesome-v6.php file [1][2][3][4]. This allows user-supplied data to be processed without proper neutralization, leading to script injection.

Exploitation

Conditions An attacker must be authenticated with at least Contributor-level access to the WordPress site. The vulnerability is triggered when the attacker inserts malicious JavaScript into a field that is later rendered on a page viewed by other users. The lack of output escaping means the injected script executes in the context of the victim's browser session [1][2][3][4].

Impact

Successful exploitation enables an attacker to execute arbitrary web scripts in the browser of any user who views the affected page. This can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS v3 score of 6.4 (Medium) reflects the need for authenticated access but the potential for significant client-side harm.

Mitigation

As of the publication date, no patched version has been released. Users should restrict Contributor-level access to trusted individuals and consider disabling the plugin until a security update is available. The vulnerability is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.