CVE-2025-39382: 
WordPress vulnerability analysis and mitigation

The CVE-2025-39382 is a Cross-site Scripting (XSS) vulnerability discovered in the WordPress plugin ACF: Google Font Selector. The vulnerability affects versions through 3.0.1 of the plugin and was publicly disclosed on April 21, 2025. The security issue was identified by security researcher Dimas Maulana and involves improper neutralization of input during web page generation (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability allows for Reflected XSS attacks and can be exploited without authentication (Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

As no official fix is currently available and the software is considered abandoned (last updated over a year ago), users are strongly advised to remove and replace the plugin. Alternatively, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).