Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector acf-google-font-selector-field allows Reflected XSS.This issue affects ACF: Google Font Selector: from n/a through <= 3.0.1.
Published: 2025-04-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of user input in the ACF: Google Font Selector plugin allows a reflected cross‑site scripting flaw. When an attacker places malicious script in a permitted field, the script is executed in the context of the website visitor, enabling actions such as session hijacking, defacement, or credential theft. The vulnerability is a classic reflected XSS (CWE‑79).

Affected Systems

The flaw exists in the WordPress ACF: Google Font Selector plugin authored by Danielpataki. Versions from the initial release up to and including 3.0.1 are affected. Any WordPress site installing this plugin version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely through crafted input or a malicious URL that an authenticated or unauthenticated user might follow; the vulnerability is reflected, so both users and visitors can be impacted.

Generated by OpenCVE AI on April 30, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ACF: Google Font Selector plugin to a version newer than 3.0.1; the author has released a fix that sanitizes input.
  • If an upgrade is unavailable or delayed, de‑activate or uninstall the plugin to eliminate the attack surface.
  • Apply a Content Security Policy that blocks inline scripts and restricts script sources, adding an additional defense layer if the plugin cannot be removed immediately.

Generated by OpenCVE AI on April 30, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12079 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector allows Reflected XSS. This issue affects ACF: Google Font Selector: from n/a through 3.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector allows Reflected XSS. This issue affects ACF: Google Font Selector: from n/a through 3.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector acf-google-font-selector-field allows Reflected XSS.This issue affects ACF: Google Font Selector: from n/a through <= 3.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danielpataki ACF: Google Font Selector allows Reflected XSS. This issue affects ACF: Google Font Selector: from n/a through 3.0.1.
Title WordPress ACF: Google Font Selector plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.807Z

Reserved: 2025-04-16T06:22:35.637Z

Link: CVE-2025-39382

cve-icon Vulnrichment

Updated: 2025-04-24T19:56:02.247Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:31.563

Modified: 2026-04-23T15:29:27.030

Link: CVE-2025-39382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses