Improper neutralization of input during web page generation has been identified in the Incredible Font Awesome plugin for WordPress, allowing stored cross‑site scripting (XSS). The flaw permits an attacker to inject arbitrary JavaScript that is persisted in the site's content, potentially running in the browsers of any visitor to the affected pages. Because the code executes with the privileges of the loading user, an attacker could steal session cookies, deface the site, or redirect users to malicious destinations, thereby compromising the confidentiality, integrity, and availability of the site’s content.

WordPress sites that use the Incredible Font Awesome add‑on by massimo.serpilli are affected. Every installation of the plugin with a version number less than or equal to 1.0 is vulnerable, as the issue exists from the initial release through version 1.0. Administrators should verify whether the plugin is in use on their deployment and identify the installed version.

The vulnerability receives a CVSS score of 6.5, indicating moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector involves an authenticated user or attacker with the ability to modify plugin settings or content, which then stores malicious JavaScript that is later served to site visitors. Because the stored script runs in a user’s browser context, impact is broad and could affect all visitors to the compromised pages.