{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4075", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T19:55:11.296Z", "datePublished": "2026-03-26T02:25:20.928Z", "dateUpdated": "2026-03-26T02:25:20.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T02:25:20.928Z"}, "affected": [{"vendor": "xenioushk", "product": "BWL Advanced FAQ Manager Lite", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-13T08:10:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:13:14.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4075", "lastModified": "2026-03-26T04:17:12.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T04:17:12.120", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BWL Advanced FAQ Manager Lite", "source": "cna", "vendor": "xenioushk"}, "product": "bwl_advanced_faq_manager_lite", "vendor": "xenioushk"}], "analysis": {"en": {"generated_at": "2026-03-26T04:54:41.653877+00:00", "value": {"mitigation_remediation": ["Update BWL Advanced FAQ Manager Lite to the latest version that removes the vulnerability; if no update is available, disable the plugin or remove the shortcode from public pages.", "Restrict Contributor role permissions so users cannot edit or insert shortcodes containing the vulnerable attributes; alternatively, apply stricter role\u2011based access controls to prevent modification of shortcodes.", "Consider reviewing site content for stored malicious scripts and sanitizing or removing any suspicious attributes manually."], "summary": {"action": "Patch Immediately", "impact": "Stored XSS allowing arbitrary script execution"}, "threat_synthesis": {"affected_systems": "WordPress installations running BWL Advanced FAQ Manager Lite version 1.1.1 or earlier, distributed by xenioushk. Any site that embeds the affected shortcode on publicly accessible pages is vulnerable.", "description_and_impact": "The BWL Advanced FAQ Manager Lite WordPress plugin contains a stored cross\u2011site scripting flaw. The plugin\u2019s shortcode processes several user\u2011supplied attributes\u2014including sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, and cont_ext_class\u2014without applying proper sanitization or escaping, allowing an authenticated user with Contributor-level or higher privilege to inject malicious JavaScript. The injected script is stored and subsequently executed whenever a page containing the shortcode is rendered, enabling the attacker to deface the site, exfiltrate session data, or perform other client\u2011side attacks.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating moderate severity. No exploitation probability score is currently available, and the vulnerability is not included in the known exploited vulnerabilities catalog. Exploit requires an attacker to first obtain Contributor or higher level access to the WordPress site and then to inject malicious content via the shortcode attributes. Once stored, the payload is delivered to all users who view the affected page, making the compromise possible even to non\u2011authenticated visitors. The combination of authentication requirement and persistent injection provides a tangible but bounded risk to affected sites."}}}}, "created": "2026-03-26T11:30:42.752898+00:00", "updated": "2026-03-26T12:08:43.246307+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xenioushk", "xenioushk$PRODUCT$bwl_advanced_faq_manager_lite"]}