CVE-2026-4336: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in rustaurius Ultimate FAQ Accordion Plugin
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.
AI Analysis
Technical Summary
CVE-2026-4336 is a stored cross-site scripting vulnerability in the rustaurius Ultimate FAQ Accordion WordPress plugin (up to version 2.4.7). The plugin calls html_entity_decode() on post_content during rendering, which converts entity-encoded payloads back into executable HTML. Since the decoded content is echoed without sanitization functions like wp_kses_post(), malicious scripts submitted by authenticated users with Author-level permissions can execute in other users' browsers. The ufaq custom post type is exposed via the REST API with default post capabilities, enabling Authors to publish malicious FAQ entries that bypass WordPress's kses sanitization at save time due to entity encoding.
Potential Impact
An attacker with Author-level access can inject arbitrary JavaScript into FAQ pages, which will execute in the context of users viewing those pages. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability does not allow privilege escalation or denial of service but compromises the integrity and confidentiality of affected users' sessions and data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level user permissions to trusted individuals only. Avoid publishing untrusted FAQ content and consider disabling the Ultimate FAQ Accordion plugin if possible. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-4336: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in rustaurius Ultimate FAQ Accordion Plugin
Description
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4336 is a stored cross-site scripting vulnerability in the rustaurius Ultimate FAQ Accordion WordPress plugin (up to version 2.4.7). The plugin calls html_entity_decode() on post_content during rendering, which converts entity-encoded payloads back into executable HTML. Since the decoded content is echoed without sanitization functions like wp_kses_post(), malicious scripts submitted by authenticated users with Author-level permissions can execute in other users' browsers. The ufaq custom post type is exposed via the REST API with default post capabilities, enabling Authors to publish malicious FAQ entries that bypass WordPress's kses sanitization at save time due to entity encoding.
Potential Impact
An attacker with Author-level access can inject arbitrary JavaScript into FAQ pages, which will execute in the context of users viewing those pages. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability does not allow privilege escalation or denial of service but compromises the integrity and confidentiality of affected users' sessions and data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Author-level user permissions to trusted individuals only. Avoid publishing untrusted FAQ content and consider disabling the Ultimate FAQ Accordion plugin if possible. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-17T14:20:31.307Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d729211cc7ad14da1b3371
Added to database: 4/9/2026, 4:20:49 AM
Last enriched: 4/9/2026, 4:36:21 AM
Last updated: 4/10/2026, 8:15:42 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.