CVE-2026-1093 identifies a stored cross-site scripting vulnerability in the WPFAQBlock – FAQ & Accordion Plugin for Gutenberg, a WordPress plugin developed by creativewerkdesigns. The vulnerability stems from improper neutralization of user input (CWE-79) specifically in the 'class' parameter of the 'wpfaqblock' shortcode. The plugin fails to adequately sanitize and escape this parameter, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim’s browser. The vulnerability affects all plugin versions up to 1.1 and was publicly disclosed on March 21, 2026. The CVSS v3.1 base score is 6.4, indicating medium severity, with an attack vector over the network, low attack complexity, privileges required at the Contributor level, no user interaction needed, and a scope change affecting confidentiality and integrity but not availability. No patches or fixes have been linked yet, and no known exploits are currently in the wild, but the vulnerability poses a significant risk due to the widespread use of WordPress and the common deployment of this plugin for FAQ and accordion features on websites.

The impact of this vulnerability is primarily on the confidentiality and integrity of data within affected WordPress sites. An attacker with Contributor-level access can inject malicious scripts that execute in the browsers of any users visiting the compromised pages. This can lead to session hijacking, theft of authentication cookies, defacement of website content, or redirection to malicious sites. Because the vulnerability is stored XSS, the malicious payload persists and affects all visitors until remediated. Organizations relying on this plugin for their websites risk reputational damage, data breaches, and potential compromise of user accounts. The attack does not affect availability directly but can indirectly cause service disruption through defacement or loss of user trust. Given the ease of exploitation (low complexity, no user interaction), the threat is significant especially for sites with multiple contributors or editors who could be coerced or compromised to inject malicious content.

To mitigate this vulnerability, organizations should immediately upgrade the WPFAQBlock plugin to a version that addresses the issue once available. Until a patch is released, administrators should restrict Contributor-level permissions to trusted users only and audit existing content for injected scripts. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injections in shortcode parameters can provide temporary protection. Additionally, site owners should enforce Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly scanning the website for XSS payloads and monitoring user activity for unusual behavior can help detect exploitation attempts. Developers maintaining the plugin should implement proper input validation, sanitization, and output escaping for all user-supplied attributes, especially shortcode parameters. Finally, educating content contributors about secure content practices reduces the risk of accidental injection.