Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0.
Published: 2025-01-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FontAwesome.io ShortCodes plugin has a stored cross‑site scripting flaw that permits an attacker to inject malicious scripts into a WordPress site. The vulnerability is categorized as CWE‑79 and can be triggered through unsanitized user input that is persisted and later rendered in a web page. Exploitation could allow the attacker to execute arbitrary client‑side code in the victim’s browser, leading to credential theft, defacement, or further attacks, without requiring user interaction beyond initial exploitation of the plugin’s input interface.

Affected Systems

The weakness exists in all releases of the FontAwesome.io ShortCodes plugin from the earliest version through 1.0. This includes installations that have not yet applied any updates or that are running the plugin at version 1.0 or earlier. Sites using this plugin should check the exact version in use and verify whether an upgrade path is available.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as moderate severity. The EPSS score of less than 1% indicates that the current probability of widespread exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to submit content that is stored by the plugin and rendered in future page loads. Once the script is executed in the victim’s browser, an attacker can perform typical XSS attacks. Due to the stored nature of the flaw, a single compromised user or malicious post can affect all visitors to the site.

Generated by OpenCVE AI on May 1, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FontAwesome.io ShortCodes plugin to the latest available version, or apply the vendor’s official patch if one is released for 1.0 or earlier releases.
  • If an upgrade is not immediately possible, review and sanitize user input by enforcing strict content‑type restrictions, removing event handler attributes, and appropriately escaping output when rendering shortcode content.
  • Implement a robust Content Security Policy that restricts script execution to trusted domains and disables inline scripts, reducing the impact of any remaining XSS payloads.
  • Monitor site logs for suspicious input patterns and audit user permissions to limit who can create or edit content that processed by the plugin.

Generated by OpenCVE AI on May 1, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3454 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes fontawesomeio-shortcodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through <= 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes fontawesomeio-shortcodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through <= 1.0.
References

Fri, 17 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alexander Weleczka FontAwesome.io ShortCodes allows Stored XSS.This issue affects FontAwesome.io ShortCodes: from n/a through 1.0.
Title WordPress FontAwesome.io ShortCodes plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:21.901Z

Reserved: 2025-01-16T11:30:51.096Z

Link: CVE-2025-23824

cve-icon Vulnrichment

Updated: 2025-01-17T17:50:18.136Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T21:15:23.437

Modified: 2026-04-28T19:29:02.960

Link: CVE-2025-23824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:45:25Z

Weaknesses