Stored cross‑site scripting was found in the WPFAQBlock– FAQ & Accordion Plugin For Gutenberg. The vulnerability is triggered by the ‘class’ attribute of the ‘wpfaqblock’ shortcode when the parameter value is not properly sanitized or escaped. Attackers with Contributor‑level or higher rights can insert arbitrary JavaScript that executes in the browser of any user who views the rendered page, opening avenues for session hijacking, defacement, or malicious content injection.

The issue affects the WordPress plugin WPFAQBlock– FAQ & Accordion Plugin For Gutenberg developed by creativewerkdesigns. All released versions up to and including 1.1 are impacted. The vulnerability exists wherever the shortcode is used within a WordPress site that has this plugin installed.

The Common Vulnerability Scoring System assigns a 6.4 score, reflecting moderate severity. Because the flaw requires authenticated access at Contributor level or higher, it is not widely exploitable by unauthenticated users, but anyone with such privileges—including content authors on many sites—could add malicious code. No EPSS score is available, and the flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Successful exploitation would be achieved by editing a page or post containing the shortcode and inserting crafted script into the class attribute; the stored payload will then run for all subsequent page views until removed.