cleantalk
Vulnerabilities and Security Researches

Advanced Custom Fields: Font Awesome Field, CVE-2026-6415

CVE, Research URL

CVE-2026-6415

Home page URL

Security reports for Advanced Custom Fields: Font Awesome Field

Application

Advanced Custom Fields: Font Awesome Field

Published on
May 15, 2026
Research Description
The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the update_preview() JavaScript function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 6.0.0.
Status
vulnerable
Previous vulnerability researches
Store Manager Connector (CVE-2025-4602) , Jun 15, 2025
Store Manager Connector (CVE-2025-4603) , Jun 15, 2025
Store Manager Connector (CVE-2025-5058) , Jun 15, 2025
Store Manager Connector (CVE-2025-4336) , Jun 15, 2025
Store Manager Connector (CVE-2026-42773) , May 13, 2026
New vulnerability
Meta Field Block (CVE-2026-6252) , May 16, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-5361) , May 15, 2026
Database Backup for WordPress (CVE-2026-4029) , May 15, 2026
Database Backup for WordPress (CVE-2026-4031) , May 15, 2026
Database Backup for WordPress (CVE-2026-4030) , May 15, 2026