This vulnerability, identified as CVE-2026-49044, involves improper input sanitization in the Advanced Custom Fields: Font Awesome Field plugin by Justin Kruit. Specifically, it allows stored cross-site scripting (CWE-79), where malicious input can be saved and later executed in the context of a user's browser session. The issue affects versions through 5.0.2. The CVSS 3.1 vector indicates network attack vector, low attack complexity, requiring privileges and user interaction, with impacts on confidentiality, integrity, and availability rated as low to low to low respectively, but with scope changed. No patch or official fix has been documented as of the publication date.

Successful exploitation of this vulnerability could allow an attacker with limited privileges and requiring user interaction to execute arbitrary scripts in the context of affected users' browsers. This may lead to partial compromise of confidentiality, integrity, and availability of the affected system or user data. However, no known active exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider limiting privileges for users who can input data into the vulnerable field and apply web application firewall (WAF) rules to detect and block potential XSS payloads targeting this plugin. Monitor vendor channels for updates.