CVE-2025-23927: 
WordPress vulnerability analysis and mitigation

The Incredible Font Awesome WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0. The vulnerability was discovered and disclosed on January 16, 2025, and is tracked as CVE-2025-23927. This security issue affects the plugin developed by Massimo Serpilli, specifically impacting installations where authenticated users with contributor-level access or above can interact with the plugin (NVD, WPScan).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The security flaw stems from insufficient input sanitization and output escaping in the plugin's functionality (Patchstack).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to various attacks including session hijacking, defacement, or malicious redirects (WPScan).

As of the reporting date, there is no official fix available for this vulnerability. Site administrators using the affected plugin should consider either removing it or implementing additional security controls to restrict access to contributor-level functionality (Patchstack).