CVE-2026-4075 is a stored cross-site scripting vulnerability in the BWL Advanced FAQ Manager Lite WordPress plugin (up to version 1.1.1). The issue stems from the baf_sbox() function, which fails to apply esc_attr() escaping on several user-controllable shortcode attributes. This allows authenticated users with at least Contributor privileges to inject malicious JavaScript into pages via the 'baf_sbox' shortcode attributes such as 'sbox_id', 'sbox_class', and 'highlight_color'. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking or other script-based attacks. The vulnerability requires no user interaction beyond viewing the page and has a CVSS score of 6.4 (medium severity). No known exploits in the wild have been reported, and no official patch or remediation is currently documented.

An authenticated attacker with Contributor-level or higher access can inject persistent malicious scripts into pages using the vulnerable shortcode attributes. These scripts execute in the context of any user viewing the affected page, potentially compromising user sessions or performing unauthorized actions. The impact is limited to confidentiality and integrity loss of user data accessible via script execution. There is no reported impact on availability. No known exploitation in the wild has been documented.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and consider disabling or removing the BWL Advanced FAQ Manager Lite plugin if feasible. Monitor vendor channels for updates or patches addressing this vulnerability.