Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome Plugin for WordPress
CVE-2026-6415

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Advanced Custom Fields: Font Awesome Field
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-6415?

The Advanced Custom Fields: Font Awesome plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability due to inadequate input validation of JSON field values and improper handling within the update_preview() JavaScript function. This flaw allows authenticated users with Subscriber-level privileges and higher to inject malicious scripts into web pages. These scripts will be executed for any user who views the compromised page, potentially leading to data theft or other harmful activities.

Affected Version(s)

Advanced Custom Fields: Font Awesome Field 0 <= 5.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/advanced-custo...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Nguyen Cong Quang

CVE-2026-6415 Data

JSON