The vulnerability in the WordPress Perfect Font Awesome Integration plugin allows an attacker to store malicious JavaScript in the plugin’s settings, which is then served to all visitors when the administration pages are rendered. This Stored XSS flaw can lead to the theft of user credentials, session hijacking, or the execution of arbitrary code in the context of the affected WordPress site, compromising user data confidentiality and site integrity. The weakness is a classic example of input not being properly escaped before inclusion in web page output and is catalogued as CWE‑79.

The flaw exists in WPOrbit Support’s Perfect Font Awesome Integration plugin for WordPress, from the earliest available release up to and including 2.3. Any WordPress site that has installed a vulnerable version of this plugin is at risk. No specific WordPress core version or server platform is required beyond the typical requirements for running the plugin.

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of <1% suggests very low exploitation probability under current conditions. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to achieve write access to a site’s plugin settings or to inject payload through the plugin’s configuration interface, implying that compromised credentials or flexible user roles may be prerequisites. Once a payload is stored, it will be executed automatically for any user who views the relevant admin pages, providing the attacker with a persistent, ubiquitous attack surface.