CVE-2026-4336
Received Received - Intake
Stored XSS in Ultimate FAQ Accordion WordPress Plugin Allows Script Injection

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: Wordfence

Description
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4336
EUVD
EUVD-2026-20845
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultimate_faqs ultimate_faq_accordion to 2.4.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Ultimate FAQ Accordion plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 2.4.7. This occurs because the plugin decodes HTML entities in FAQ content during rendering, turning encoded payloads back into executable HTML. The decoded content is then output without proper sanitization, allowing malicious scripts to run.

Specifically, the plugin uses html_entity_decode() on post content, which converts entity-encoded input (like <img src=x onerror=alert()>) into actual HTML tags. Since the plugin does not sanitize this decoded content before displaying it, attackers with Author-level access can inject malicious scripts into FAQ pages via the REST API.

Impact Analysis

This vulnerability allows authenticated users with Author-level permissions or higher to inject arbitrary JavaScript into FAQ pages. When other users view these pages, the malicious scripts execute in their browsers.

  • It can lead to theft of user credentials or session tokens.
  • It can enable unauthorized actions on behalf of users (such as changing settings or stealing data).
  • It can damage the website's reputation and trustworthiness.
Detection Guidance

This vulnerability affects the Ultimate FAQ Accordion plugin for WordPress versions up to and including 2.4.7. Detection involves identifying if this plugin and vulnerable versions are installed on your WordPress site.

Since the vulnerability allows Author-level users to inject malicious FAQ content via the REST API, monitoring REST API requests for suspicious payloads or unusual FAQ content submissions can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general detection steps include:

  • Check the installed version of the Ultimate FAQ Accordion plugin in your WordPress installation.
  • Review recent FAQ content submissions for suspicious HTML entity-encoded payloads such as <img src=x onerror=alert()>.
  • Monitor REST API logs for POST or PUT requests to endpoints related to the 'ufaq' custom post type.
Mitigation Strategies

Immediate mitigation steps include:

  • Update the Ultimate FAQ Accordion plugin to a version later than 2.4.7 where the vulnerability is fixed.
  • Restrict Author-level user permissions to prevent untrusted users from creating or publishing FAQs.
  • Temporarily disable or restrict access to the REST API endpoints related to the 'ufaq' custom post type if possible.
  • Review and sanitize existing FAQ content to remove any malicious scripts.
Compliance Impact

The vulnerability allows authenticated users with Author-level access to inject arbitrary web scripts via stored cross-site scripting (XSS) in FAQ content. This can lead to unauthorized script execution in users' browsers when accessing affected FAQ pages.

Such unauthorized script execution can potentially lead to data exposure, session hijacking, or other malicious activities that may compromise the confidentiality and integrity of user data.

Therefore, this vulnerability could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data against unauthorized access and ensuring secure handling of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart