Skip to main content

Faq Builder Ays EUVDEUVD-2026-15661

| CVE-2026-25346 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-c78c-c2vg-668p
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15661
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAQ Builder AYS: from n/a through <= 1.8.2.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability exists in AYS Pro FAQ Builder plugin versions up to and including 1.8.2, allowing attackers to inject malicious scripts through improperly neutralized input during web page generation. The vulnerability stems from incorrectly configured access control security levels, enabling unauthenticated or low-privileged attackers to execute arbitrary JavaScript in the context of affected WordPress sites. While CVSS and EPSS scores are not publicly available, the vulnerability was reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15661, indicating formal recognition across European vulnerability databases.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a well-known XSS weakness where user-supplied input is not properly sanitized or escaped before being rendered in HTML output. The affected product is identified via CPE as cpe:2.3:a:ays_pro:faq_builder_ays:*:*:*:*:*:*:*:*, indicating all versions of the AYS Pro FAQ Builder plugin for WordPress. The root cause involves access control misconfiguration that allows attackers to interact with FAQ generation endpoints without proper validation, permitting injection of unfiltered HTML and JavaScript payloads into FAQ content, forms, or configuration settings. This reflects a failure to implement proper output encoding and input validation mechanisms typical of stored or reflected XSS vulnerabilities in WordPress plugin architecture.

RemediationAI

Immediately upgrade AYS Pro FAQ Builder to a version newer than 1.8.2 (confirm the patched version with the vendor or via the official WordPress plugin repository). After patching, clear any cached FAQ content and audit logs to identify potential malicious script injection. As a temporary interim measure pending patching, implement WordPress security hardening by restricting plugin file access via .htaccess rules, disabling plugin editing via DISALLOW_FILE_EDIT, and using Web Application Firewall (WAF) rules to block common XSS payloads targeting FAQ endpoints. Additionally, audit all FAQ entries for suspicious script content and consider temporarily disabling the plugin if a patched version is not immediately available. For detailed remediation guidance, consult the vendor advisory linked in the Patchstack vulnerability report at https://patchstack.com/database/Wordpress/Plugin/faq-builder-ays/vulnerability/wordpress-faq-builder-ays-plugin-1-8-2-cross-site-scripting-xss-vulnerability and monitor the official AYS Pro website for security announcements.

Share

EUVD-2026-15661 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy