Description
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.
INFO
Published Date :
2026-04-09T03:25:57.761Z
Last Modified :
2026-04-09T03:25:57.761Z
Source :
Wordfence
AFFECTED PRODUCTS
The following products are affected by CVE-2026-4336 vulnerability.
| Vendors | Products |
|---|---|
| Rustaurius |
|
| Wordpress |
|
REFERENCES
Here, you will find a curated list of external links that provide in-depth information to CVE-2026-4336.
