The Ed's Font Awesome plugin allows an authenticated user with contributor or higher privileges to add arbitrary attributes to the plugin’s shortcode. The plugin fails to sanitize or escape these attributes when storing them, resulting in a stored cross‑site scripting (XSS) vulnerability. When a page containing the malicious shortcode is viewed, the injected script runs in the victim’s browser, allowing session hijacking, data theft, or other client‑side attacks. The flaw exploitable through normal content‑editing functions can lead to widespread compromise of any site users who view affected content.

All WordPress sites that have the Ed's Font Awesome plugin installed, versions up to and including 2.0. Any install where contributors or higher role users can add or edit posts or pages that utilize the plugin’s shortcode is affected.

With a CVSS score of 6.4 the vulnerability poses a moderate risk. The attack requires authenticated access at the contributor level or higher; it can be executed via the site’s content editor or any interface that accepts the shortcode. No public exploits have been reported and the vulnerability is not listed in the CISA KEV catalog, but the lack of EPSS data makes the exact leverage probability uncertain. Still, any exposed contributor account can be used to inject malicious scripts into publicly viewable pages, making an immediate patch advisable.