CVE-2025-8686 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the WP Easy FAQs plugin for WordPress in all versions up to and including 1.0.5. The flaw stems from inadequate sanitization and escaping of user-supplied attributes in the WP_EASY_FAQ shortcode, which is used to embed FAQ content on WordPress pages. Authenticated users with author-level or higher privileges can exploit this vulnerability by injecting arbitrary JavaScript code into the shortcode attributes. Because the injected scripts are stored persistently within the website content, they execute every time a visitor or administrator loads the affected page. This can lead to a range of malicious outcomes, including theft of session cookies, defacement, redirection to malicious sites, or execution of further attacks within the context of the vulnerable website. The vulnerability requires no user interaction beyond visiting the compromised page but does require the attacker to have author-level access, which limits the attack surface to insiders or compromised accounts. The CVSS 3.1 base score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant for websites relying on this plugin, especially those with multiple authors or contributors who may have elevated privileges.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can compromise the confidentiality and integrity of user sessions and data. Attackers can hijack user sessions, steal cookies, or perform actions on behalf of other users, leading to unauthorized access or data leakage. The integrity of website content can be compromised through defacement or injection of malicious content. Although availability is not directly affected, the reputational damage and potential for further exploitation can indirectly impact service reliability. Organizations with multiple authors or contributors on WordPress sites are at higher risk, as insider threats or compromised accounts can exploit this vulnerability. The medium severity score indicates a moderate risk, but the scope can be significant for high-traffic or sensitive websites. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits in the future.

To mitigate this vulnerability, organizations should first restrict author-level access to trusted users only, minimizing the risk of malicious script injection. Implement strict input validation and output escaping for all user-supplied data in the WP Easy FAQs shortcode, ideally by updating or patching the plugin once an official fix is released. Until a patch is available, consider disabling the WP Easy FAQs plugin or removing the shortcode usage from pages. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the shortcode parameters. Regularly audit user accounts and permissions to detect any unauthorized privilege escalations. Monitor website logs and user activity for suspicious behavior indicative of exploitation attempts. Educate content authors about the risks of injecting untrusted content and enforce secure content management policies. Finally, keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities.