The vulnerability CVE-2025-39382 affects the danielpataki ACF: Google Font Selector plugin (version ≤ 3.0.1). It is a reflected cross-site scripting (XSS) flaw caused by improper neutralization of input during web page generation. This allows an attacker to inject malicious scripts that execute in the context of the victim's browser. The CVSS 3.1 score of 7.1 reflects network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability. The vulnerability is not related to a cloud service and no patch or official fix details have been provided.

Successful exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of the affected web application, potentially resulting in partial loss of confidentiality, integrity, and availability. This could allow attackers to steal sensitive information, perform actions on behalf of users, or disrupt service. However, no known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying input validation or output encoding workarounds if feasible. Monitor vendor channels for updates regarding patches or mitigations.