Attack Vectors

WPFAQBlock– FAQ & Accordion Plugin For Gutenberg (slug: wpfaqblock) is affected by CVE-2026-1093, a Medium-severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4, CVE record).

The vulnerability can be exploited by an authenticated WordPress user with Contributor access or higher by injecting malicious script content through the ‘class’ attribute of the wpfaqblock shortcode. Because this is a stored issue, the injected code is saved in site content and can execute later when someone views the affected page or post.

From a business perspective, the key risk is that many organizations allow Contributors (or similar roles) for content creation workflows, agencies, interns, or distributed teams—expanding the pool of accounts that could be abused via credential theft, reused passwords, or malicious insiders.

Security Weakness

This issue exists because of insufficient input sanitization and output escaping for user-supplied shortcode attributes—specifically the ‘class’ parameter—across all versions up to and including 1.1. In practical terms, the plugin does not consistently enforce safe values for that attribute before storing and rendering it.

The vulnerability’s scoring highlights why it matters operationally: it is network exploitable with low attack complexity and low privileges required (Contributor+), and it can affect a broader scope of users and sessions when injected content is viewed.

Remediation status: there is no known patch available at this time. Organizations should assess whether continued use is acceptable and consider replacing or uninstalling the plugin based on risk tolerance and exposure.

Technical or Business Impacts

If exploited, Stored XSS can enable attackers to run unauthorized scripts in visitors’ browsers when they view an affected page. Depending on who views the content (customers, prospects, staff, or administrators), impacts may include account takeover risk, unauthorized site changes, redirection to malicious pages, or theft of session information.

For marketing, brand, and revenue teams, this can translate into reputational damage (malicious popups, defacements, or redirects), lost lead conversions, and campaign disruption if high-traffic landing pages are impacted.

For executives and compliance stakeholders, the business impact can extend to incident response costs, potential privacy and contractual obligations if user data or authenticated sessions are exposed, and operational downtime while content is audited and cleaned.

Given there is no known patch, practical mitigations may include: uninstalling/replacing WPFAQBlock– FAQ & Accordion Plugin For Gutenberg, limiting or auditing Contributor-level access, increasing monitoring for unexpected shortcode usage or content changes, and reviewing pages that use the wpfaqblock shortcode for suspicious attributes.

Similar Attacks

Stored XSS is a common pattern in content-management ecosystems because it targets trust in published content and can impact many visitors at once. Examples of real-world XSS disclosures include:

CVE-2023-2745 (WooCommerce) – Stored XSS
CVE-2022-21661 (WordPress core) – Stored XSS