cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields: Font Awesome Field, CVE-2026-6415

CVE, Research URL

CVE-2026-6415

Home page URL

Security reports for Advanced Custom Fields: Font Awesome Field

Application

Advanced Custom Fields: Font Awesome Field

Published on
May 15, 2026
Research Description
The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the update_preview() JavaScript function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.0.0.
Status
vulnerable
Previous vulnerability researches
Elite crypto checkout (5168e230bf164d8e0ebd8f95ccf9add5694cd07c) , Jun 07, 2024
New vulnerability
Meta Field Block (CVE-2026-6252) , May 16, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-5361) , May 15, 2026
Database Backup for WordPress (CVE-2026-4029) , May 15, 2026
Database Backup for WordPress (CVE-2026-4031) , May 15, 2026
Database Backup for WordPress (CVE-2026-4030) , May 15, 2026