CVE-2026-2496

Root

Cause

The Ed's Font Awesome plugin for WordPress (versions up to 2.0) includes a shortcode eds_font_awesome that renders Font Awesome icons with user-supplied attributes such as style, name, size, and color. The plugin fails to properly sanitize and escape these attributes before outputting them in the page HTML, leading to a Stored Cross-Site Scripting (XSS) vulnerability [1].

Exploitation

Prerequisites

An attacker must have at least Contributor-level access to the WordPress site to insert the vulnerable shortcode into posts or pages. The attack does not require any other special network position or authentication from visitors. When a victim views the compromised page, the injected script executes in the context of their browser session [1].

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript or HTML, which can be used to steal session cookies, redirect users to malicious sites, perform actions on behalf of the victim, or deface the site. Since the XSS is stored, every visitor to the affected page will be impacted [1].

Mitigation

The vulnerability is addressed in version 2.1 of the plugin, where the developer applied esc_attr() to all shortcode attribute outputs. Later versions (3.0.1) confirm proper escaping with esc_attr(), esc_html(), and esc_url(). Users should update to version 2.1 or later immediately to remediate the risk [1].