{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14983", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T17:53:53.254Z", "datePublished": "2026-02-19T04:36:22.512Z", "dateUpdated": "2026-04-08T17:20:43.304Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:43.304Z"}, "affected": [{"vendor": "mattkeys", "product": "Advanced Custom Fields: Font Awesome Field", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser."}], "title": "Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c495d7f6-6d4a-4b1a-90f9-5273e7773d7a?source=cve"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L332"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L337"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L361"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L374"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L361"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435775%40advanced-custom-fields-font-awesome&new=3435775%40advanced-custom-fields-font-awesome&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "JongHwan Shin"}], "timeline": [{"time": "2026-02-18T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T01:31:58.199802Z", "id": "CVE-2025-14983", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T01:32:09.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14983", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T01:31:58.199802Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T01:32:05.528Z"}}], "cna": {"title": "Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "JongHwan Shin"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mattkeys", "product": "Advanced Custom Fields: Font Awesome Field", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c495d7f6-6d4a-4b1a-90f9-5273e7773d7a?source=cve"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L332"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L337"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L361"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L374"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L361"}, {"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php"}, {"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435775%40advanced-custom-fields-font-awesome&new=3435775%40advanced-custom-fields-font-awesome&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:43.304Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14983", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:43.304Z", "dateReserved": "2025-12-19T17:53:53.254Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:22.512Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser."}, {"lang": "es", "value": "El plugin Advanced Custom Fields: Font Awesome Field para WordPress es vulnerable a cross-site scripting en todas las versiones hasta la 5.0.1, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios que se ejecutan en el navegador de una v\u00edctima."}], "id": "CVE-2025-14983", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:36.180", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L332"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L337"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L361"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L374"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L361"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3435775%40advanced-custom-fields-font-awesome&new=3435775%40advanced-custom-fields-font-awesome&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c495d7f6-6d4a-4b1a-90f9-5273e7773d7a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Advanced Custom Fields: Font Awesome Field", "source": "cna", "vendor": "mattkeys"}, "product": "advanced_custom_fields:_font_awesome_field", "vendor": "mattkeys"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T15:51:27.840135+00:00", "value": {"mitigation_remediation": ["Update the Advanced Custom Fields: Font Awesome Field plugin to the latest version that fixes the XSS flaw.", "If an update is unavailable, remove or sanitize any stored Font Awesome field entries that contain scripts and restrict editing of these fields to administrators only.", "Implement a site-wide Content Security Policy that blocks inline scripts or restricts script sources to trusted hosts to mitigate any residual XSS risk."], "summary": {"action": "Apply Update", "impact": "Stored Cross\u2011Site Scripting for authenticated Contributors+"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Advanced Custom Fields: Font Awesome Field plugin version 5.0.1 or older, as released by mattkeys. Sites that have caching or backup plugins might retain stored malicious content until the plugin is updated or the data is cleaned.", "description_and_impact": "The Advanced Custom Fields: Font Awesome Field plugin is vulnerable to stored Cross\u2011Site Scripting in all versions up to 5.0.1 because user input is not properly sanitized or escaped. An attacker who can edit a Font Awesome field with Contributor level access or higher can store a malicious script that will later execute in any browser that loads a page displaying that field. This can result in theft of session cookies, defacement of the site, or further attacks against users who view the compromised page. Based on the description, it is inferred that the attacker must be authenticated with sufficient privileges to edit the field, so the flaw is not publicly exploitable by anonymous users.", "risk_and_exploitability": "The CVSS score is 6.4, indicating moderate severity, and its EPSS score is below 1\u202f%, implying that active exploitation is presently rare. The vulnerability is not listed in the CISA KEV catalog. The required conditions for exploitation are that the attacker has Contributor or higher privileges to edit a Font Awesome field and that the field is rendered on a page viewed by other users. The likely attack vector is an authenticated privilege for editing a field followed by a stored XSS scenario that affects users who view the compromised content."}}}}, "created": "2026-02-19T10:06:56.508888+00:00", "updated": "2026-04-21T16:00:13.271186+00:00", "vendors": ["mattkeys", "mattkeys$PRODUCT$advanced_custom_fields:_font_awesome_field", "wordpress", "wordpress$PRODUCT$wordpress"]}