CVE-2026-49044

Vulnerability

The Advanced Custom Fields: Font Awesome Field plugin for WordPress, versions from n/a through 5.0.2, contains a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation [1]. The flaw resides in how the plugin handles user-supplied data for the Font Awesome field, allowing injection of arbitrary HTML and JavaScript [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated as a user with the ability to create or edit posts and include the Font Awesome field (e.g., Editor or Administrator role) [1]. The attacker injects malicious code into the field input; when an administrator or other privileged user views the post—such as by clicking a crafted link or visiting the dashboard page—the injected script executes in their browser [1]. The user action required is a visit to the affected page [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) that execute in the context of a victim's session when they visit the compromised site [1]. This can lead to session hijacking, defacement, or further compromise of the WordPress instance [1]. The CIA impact is primarily integrity and confidentiality, with the attacker operating within the scope of the affected user's privileges.

Mitigation

The vendor has not yet released a patched version of the plugin [1]. As an immediate workaround, disable the plugin or restrict access to the vulnerable field via user role capabilities [1]. If a fix becomes available in the future, update to the latest version promptly [1]. Users unable to update should contact their hosting provider or web developer for assistance [1].