CVE-2025-39382 is a Reflected Cross-Site Scripting (XSS) vulnerability identified in the danielpataki ACF: Google Font Selector plugin, affecting versions up to and including 3.0.1. The vulnerability arises due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode input parameters that are reflected back in the web page output, allowing an attacker to inject malicious scripts. When a victim accesses a crafted URL containing malicious payloads, the injected script executes in the context of the victim's browser. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or redirection to malicious sites. The vulnerability is of the reflected type, meaning it requires the victim to click on a specially crafted link or visit a maliciously crafted page that triggers the exploit. There are no known exploits in the wild at the time of publication, and no official patches have been released yet. The plugin is commonly used in WordPress environments to facilitate Google Font selection within Advanced Custom Fields (ACF), a popular WordPress plugin framework. Given the nature of the vulnerability, it primarily targets web applications that incorporate this plugin, potentially affecting websites that rely on it for font customization. The vulnerability was reserved and published in April 2025, with enrichment from CISA, indicating recognition by authoritative cybersecurity bodies. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, the impact of CVE-2025-39382 can be significant, especially for those operating websites or web applications built on WordPress that utilize the ACF: Google Font Selector plugin. Successful exploitation could lead to compromise of user sessions, theft of sensitive user data, or unauthorized actions performed with the privileges of the victim user. This is particularly concerning for organizations handling personal data under GDPR, as exploitation could lead to data breaches and regulatory penalties. Additionally, the reflected XSS vulnerability could be leveraged in phishing campaigns targeting employees or customers by embedding malicious scripts in URLs, thereby facilitating further attacks such as credential harvesting or malware delivery. The availability of the plugin in various sectors including e-commerce, media, and public services increases the attack surface. Moreover, the vulnerability could undermine user trust and damage brand reputation if exploited. While the vulnerability does not directly affect system availability or integrity of backend systems, the confidentiality and integrity of user interactions with affected websites are at risk. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future exploitation, especially as awareness of the vulnerability spreads.

1. Immediate mitigation should include disabling or removing the ACF: Google Font Selector plugin until a security patch is released. 2. Implement Web Application Firewall (WAF) rules that detect and block typical reflected XSS payloads targeting the affected plugin parameters. 3. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 4. Conduct thorough input validation and output encoding on all user-supplied data within the web application, especially for parameters handled by the plugin. 5. Monitor web server logs and application logs for suspicious requests containing unusual or encoded script tags targeting the plugin’s endpoints. 6. Educate users and administrators about the risks of clicking on untrusted links, particularly those that may contain URL parameters related to font selection or ACF plugin features. 7. Upon release, promptly apply official patches or updates from the plugin vendor. 8. For organizations with custom integrations, review and harden code that interacts with the plugin to ensure proper sanitization. 9. Consider deploying browser security features such as HTTPOnly and Secure flags on cookies to mitigate session hijacking risks. 10. Regularly audit WordPress plugins for vulnerabilities and maintain an inventory to quickly identify and respond to emerging threats.