CVE-2026-4336 is a stored cross-site scripting vulnerability in the rustaurius Ultimate FAQ Accordion WordPress plugin (up to version 2.4.7). The issue arises from the plugin's use of html_entity_decode() on post_content during rendering, which converts entity-encoded payloads back into executable HTML. The decoded content is then output without proper escaping or sanitization (e.g., wp_kses_post()), specifically in the faq-answer.php template. Because the custom post type 'ufaq' is exposed via the REST API and allows Author-level users to create FAQs, an attacker with such privileges can submit entity-encoded malicious HTML that bypasses WordPress's kses filtering at save time but executes when rendered. This enables injection of arbitrary scripts that run in the context of users viewing the FAQ content.

An attacker with Author-level access can inject persistent malicious scripts into FAQ content, which execute in the browsers of users who view the affected FAQ pages or use the [ultimate-faqs] shortcode. This can lead to session hijacking, defacement, or other script-based attacks against site visitors. The vulnerability does not affect unauthenticated users directly but leverages authenticated user privileges to persist malicious code. The CVSS 3.1 base score is 6.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality and integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level user capabilities to trusted users only. Avoid using the Ultimate FAQ Accordion plugin or disable it if possible. Monitor plugin updates from rustaurius for a security patch addressing this vulnerability. Do not rely on WordPress's default sanitization as it is bypassed in this case due to entity decoding at render time.