EUVD-2026-16083
GHSA-2vv2-mqg3-3j3p
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Analysis
The BWL Advanced FAQ Manager Lite WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'baf_sbox' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code through shortcode attributes (sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, cont_ext_class) that will execute in the browsers of all users viewing the affected pages. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today