Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAQ Builder AYS: from n/a through <= 1.8.2.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in AYS Pro FAQ Builder plugin versions up to and including 1.8.2, allowing attackers to inject malicious scripts through improperly neutralized input during web page generation. The vulnerability stems from incorrectly configured access control security levels, enabling unauthenticated or low-privileged attackers to execute arbitrary JavaScript in the context of affected WordPress sites. While CVSS and EPSS scores are not publicly available, the vulnerability was reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15661, indicating formal recognition across European vulnerability databases.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a well-known XSS weakness where user-supplied input is not properly sanitized or escaped before being rendered in HTML output. The affected product is identified via CPE as cpe:2.3:a:ays_pro:faq_builder_ays:*:*:*:*:*:*:*:*, indicating all versions of the AYS Pro FAQ Builder plugin for WordPress. The root cause involves access control misconfiguration that allows attackers to interact with FAQ generation endpoints without proper validation, permitting injection of unfiltered HTML and JavaScript payloads into FAQ content, forms, or configuration settings. This reflects a failure to implement proper output encoding and input validation mechanisms typical of stored or reflected XSS vulnerabilities in WordPress plugin architecture.
RemediationAI
Immediately upgrade AYS Pro FAQ Builder to a version newer than 1.8.2 (confirm the patched version with the vendor or via the official WordPress plugin repository). After patching, clear any cached FAQ content and audit logs to identify potential malicious script injection. As a temporary interim measure pending patching, implement WordPress security hardening by restricting plugin file access via .htaccess rules, disabling plugin editing via DISALLOW_FILE_EDIT, and using Web Application Firewall (WAF) rules to block common XSS payloads targeting FAQ endpoints. Additionally, audit all FAQ entries for suspicious script content and consider temporarily disabling the plugin if a patched version is not immediately available. For detailed remediation guidance, consult the vendor advisory linked in the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/faq-builder-ays/vulnerability/wordpress-faq-builder-ays-plugin-1-8-2-cross-site-scripting-xss-vulnerability and monitor the official AYS Pro website for security announcements.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15661
GHSA-c78c-c2vg-668p