Ultimate Faq Accordion Plugin
Monthly
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.
Stored cross-site scripting in Ultimate FAQ Accordion plugin for WordPress (all versions up to 2.4.7) allows authenticated Author-level users to inject arbitrary web scripts into FAQ pages. The vulnerability exploits a double-encoding bypass: the plugin calls html_entity_decode() on FAQ content during rendering, converting entity-encoded payloads (e.g., <img src=x onerror=alert()>) back into executable HTML, which then bypasses WordPress output escaping in the faq-answer.php template. The ufaq custom post type is REST API-enabled with default post capabilities, allowing Authors to create and publish malicious FAQs via REST API. No public exploit code has been identified at time of analysis, but the vulnerability has a moderate CVSS 6.4 score reflecting its authenticated requirement and cross-site impact.