Description
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The faq shortocde plugin for WordPress contains a Stored Cross‑Site Scripting vulnerability that allows attackers with Contributor or higher privileges to inject arbitrary JavaScript through the 'color' attribute of the [faq] shortcode. The injected code runs in the browser context of any user who views the affected page, which can lead to credential theft, defacement, or session hijacking. This weakness corresponds to the Input Validation/Cross‑Site Scripting category (CWE‑79).

Affected Systems

y = plugin 'faq shortocde' authored by yehudah, installed on all WordPress sites that use version 1.0 or earlier. The vulnerability affects any WordPress installation running the plugin up to and including version 1.0.

Risk and Exploitability

The CVSS score of 6.4 places the issue in the moderate severity range. Because the EPSS score is not available, the probability of exploitation is unknown but the fact that authenticated Contributors can exploit it raises concern. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to be authenticated with a Contributor role or higher; once authenticated, they can create or edit a post that contains a crafted 'color' attribute, causing unescaped JavaScript to be stored and later executed for any viewer of the post.

Generated by OpenCVE AI on May 27, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the faq shortocde plugin to a patched version when it becomes available; otherwise, remove or disable the plugin.
  • Avoid using the 'color' attribute in the [faq] shortcode or modify the plugin code to strip or HTML‑escape any user‑provided values for that attribute.
  • Restrict Contributor‑level access to trusted users only, and apply site‑wide XSS filtering or content sanitization measures to mitigate the risk of injected scripts.

Generated by OpenCVE AI on May 27, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yehudah
Yehudah faq Shortocde
Vendors & Products Wordpress
Wordpress wordpress
Yehudah
Yehudah faq Shortocde

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yehudah Faq Shortocde
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:31:45.552Z

Reserved: 2026-05-06T16:10:14.234Z

Link: CVE-2026-8040

cve-icon Vulnrichment

Updated: 2026-05-27T10:31:39.943Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:13.923

Modified: 2026-05-27T07:16:13.923

Link: CVE-2026-8040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:06:50Z

Weaknesses