The Advanced Custom Fields: Font Awesome Field plugin is vulnerable to stored Cross‑Site Scripting in all versions up to 5.0.1 because user input is not properly sanitized or escaped. An attacker who can edit a Font Awesome field with Contributor level access or higher can store a malicious script that will later execute in any browser that loads a page displaying that field. This can result in theft of session cookies, defacement of the site, or further attacks against users who view the compromised page. Based on the description, it is inferred that the attacker must be authenticated with sufficient privileges to edit the field, so the flaw is not publicly exploitable by anonymous users.

WordPress sites that use the Advanced Custom Fields: Font Awesome Field plugin version 5.0.1 or older, as released by mattkeys. Sites that have caching or backup plugins might retain stored malicious content until the plugin is updated or the data is cleaned.

The CVSS score is 6.4, indicating moderate severity, and its EPSS score is below 1 %, implying that active exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. The required conditions for exploitation are that the attacker has Contributor or higher privileges to edit a Font Awesome field and that the field is rendered on a page viewed by other users. The likely attack vector is an authenticated privilege for editing a field followed by a stored XSS scenario that affects users who view the compromised content.