The vulnerability CVE-2026-4075 affects the BWL Advanced FAQ Manager Lite plugin for WordPress, specifically versions up to and including 1.1.1. It is a stored Cross-Site Scripting (XSS) flaw categorized under CWE-79, caused by improper neutralization of input during web page generation. The issue stems from the baf_sbox() function, which processes the 'baf_sbox' shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly inserted into HTML element attributes without proper escaping using esc_attr(), allowing malicious scripts embedded in these attributes to be stored in the website's content. Because the vulnerability is stored, the injected scripts execute every time the affected page is loaded by any user. Exploitation requires an attacker to have at least Contributor-level access to the WordPress site, which is a relatively low privilege level allowing content creation but not full administrative control. The vulnerability does not require user interaction to trigger once the malicious content is stored. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits or patches are currently available, but the flaw is publicly disclosed and documented.

This vulnerability allows authenticated users with Contributor or higher privileges to inject persistent malicious JavaScript into WordPress pages using the vulnerable plugin. The impact includes potential session hijacking, defacement, redirection to malicious sites, theft of sensitive user data, and execution of unauthorized actions on behalf of users visiting the infected pages. Since the scripts execute in the context of the victim's browser, this can lead to compromise of user accounts, especially administrators or editors who access the affected pages. The scope includes all websites using the BWL Advanced FAQ Manager Lite plugin up to version 1.1.1, which may be significant given WordPress's widespread use. Although the attack requires some level of authentication, many WordPress sites allow Contributor-level access to multiple users, increasing risk. The vulnerability does not affect availability but impacts confidentiality and integrity. Organizations relying on this plugin for FAQ management risk reputational damage, data breaches, and potential regulatory consequences if user data is compromised.

To mitigate this vulnerability, organizations should immediately update the BWL Advanced FAQ Manager Lite plugin to a version that properly escapes shortcode attributes using esc_attr() or equivalent sanitization functions once available. Until a patch is released, administrators should restrict Contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious shortcode attribute payloads can reduce risk. Conduct regular security audits of user-generated content and monitor logs for unusual activity. Educate content contributors about safe input practices and the risks of injecting scripts. Additionally, site owners can implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Finally, maintain regular backups and have an incident response plan ready in case of exploitation.