PatchSiren cyber security CVE debrief
CVE-2026-49044 Justin Kruit CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the Advanced Custom Fields: Font Awesome Field WordPress plugin, affecting versions up to and including 5.0.2. The vulnerability stems from improper neutralization of input during web page generation (CWE-79). An attacker with low privileges can inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The CVSS 3.1 score of 6.5 reflects network attack vector, low attack complexity, low privileges required, user interaction required, and changed scope with low impacts to confidentiality, integrity, and availability. The CVE was published on 2026-05-27 and last modified the same day. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Justin Kruit
- Product
- Advanced Custom Fields: Font Awesome Field
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using the Advanced Custom Fields: Font Awesome Field plugin; security teams managing WordPress content management systems; developers maintaining sites with custom ACF field configurations; compliance officers tracking vulnerability remediation for web application portfolios
Technical summary
The Advanced Custom Fields: Font Awesome Field plugin fails to properly sanitize user-supplied input before rendering it in administrative interfaces and potentially frontend contexts. Stored XSS vulnerabilities in WordPress plugins typically allow authenticated attackers with post-editing capabilities to embed malicious JavaScript in custom field values. When other users (including administrators) view or edit posts containing these fields, the injected scripts execute in their browser sessions. The changed scope (S:C) in the CVSS vector indicates the vulnerable component impacts resources beyond its security authorization, suggesting the XSS may affect the broader WordPress admin environment rather than remaining isolated to the plugin's own interface.
Defensive priority
medium
Recommended defensive actions
- Update the Advanced Custom Fields: Font Awesome Field plugin to a version newer than 5.0.2 as soon as a patched release is available from the vendor
- Review and sanitize all existing Font Awesome field content for suspicious script tags or encoded payloads
- Implement Content Security Policy headers to mitigate impact of any unpatched XSS vectors
- Apply principle of least privilege to WordPress user accounts to reduce attack surface
- Monitor web server logs for unusual POST requests to admin-ajax.php or post.php containing script payloads
- Consider Web Application Firewall rules to detect and block common XSS patterns in plugin input fields
Evidence notes
Vulnerability identified through Patchstack security research. Vendor attribution to Justin Kruit per CVE description. Affected version range confirmed as n/a through 5.0.2. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L.
Official resources
-
CVE-2026-49044 CVE record
CVE.org
-
CVE-2026-49044 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-27