Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon ss-font-awesome-icon allows Stored XSS.This issue affects SS Font Awesome Icon: from n/a through <= 4.1.3.
Published: 2025-09-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SS Font Awesome Icon plugin contains a stored Cross‑Site Scripting flaw that allows an attacker to insert malicious JavaScript into the site’s output. The weakness is a classic input‑neutralization issue (CWE‑79), enabling the attacker to execute arbitrary script in the browser context of any user who views the affected page. This could lead to session hijacking, defacement, or the delivery of more advanced malware.

Affected Systems

Any WordPress site using the Shiful H SS Font Awesome Icon plugin up to and including version 4.1.3 is affected. No other product or version restrictions are documented.

Risk and Exploitability

The CVSS score of 6.5 categorises the vulnerability as moderate in severity. Its EPSS rating of less than 1 % indicates that real‑world exploitation is currently considered unlikely, and the issue is not listed in CISA’s KEV catalogue. Attackers would need to supply malicious input that is subsequently stored by the plugin – typically through an interface that accepts icon or shortcode data – and then lure a victim to view the resulting page. Infected content would run in the victim’s browser, providing the user with the attacker's payload. While the likelihood of exploitation is low, the impact of successful exploitation could be significant for sites that rely on this plugin.

Generated by OpenCVE AI on April 30, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SS Font Awesome Icon plugin to version 4.1.4 or later, if an update is available.
  • If no newer version exists, uninstall or disable the plugin until a patch is released.
  • Ensure that all user‑generated content is properly escaped or sanitized before display to prevent inadvertent script execution.

Generated by OpenCVE AI on April 30, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26940 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon allows Stored XSS. This issue affects SS Font Awesome Icon: from n/a through 4.1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon allows Stored XSS. This issue affects SS Font Awesome Icon: from n/a through 4.1.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon ss-font-awesome-icon allows Stored XSS.This issue affects SS Font Awesome Icon: from n/a through <= 4.1.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Sep 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiful H SS Font Awesome Icon allows Stored XSS. This issue affects SS Font Awesome Icon: from n/a through 4.1.3.
Title WordPress SS Font Awesome Icon Plugin <= 4.1.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:50:38.063Z

Reserved: 2025-09-05T10:49:39.907Z

Link: CVE-2025-58837

cve-icon Vulnrichment

Updated: 2025-09-05T19:41:49.632Z

cve-icon NVD

Status : Deferred

Published: 2025-09-05T14:15:56.793

Modified: 2026-04-23T15:33:43.803

Link: CVE-2025-58837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T02:30:25Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')