CVE-2026-6415 is a stored cross-site scripting vulnerability in the Advanced Custom Fields: Font Awesome Field WordPress plugin. The issue is caused by improper neutralization of input during web page generation, specifically due to insufficient validation of JSON field values and unsafe client-side HTML construction within the update_preview() JavaScript function. This allows authenticated users with at least Subscriber privileges to inject malicious scripts that persist and execute when other users access the injected pages. The vulnerability affects versions up to and including 5.0.2. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, and privileges required. No patch or official remediation is currently documented.

Successful exploitation allows an authenticated user with Subscriber-level access or higher to inject persistent malicious scripts into pages generated by the plugin. These scripts execute in the context of other users viewing the affected pages, potentially leading to information disclosure or other client-side impacts. The vulnerability does not affect availability and requires authentication, limiting its scope. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting plugin usage to trusted users only and monitoring for suspicious activity. Avoid granting unnecessary privileges to users who do not require them. Review and sanitize JSON field inputs if possible through custom code or security plugins. No official patch or temporary fix is currently available.