{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4075", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T19:55:11.296Z", "datePublished": "2026-03-26T02:25:20.928Z", "dateUpdated": "2026-04-08T17:31:52.764Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:52.764Z"}, "affected": [{"vendor": "xenioushk", "product": "BWL Advanced FAQ Manager Lite", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-03-13T08:10:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:13:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:00:42.688054Z", "id": "CVE-2026-4075", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:00:49.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4075", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:00:42.688054Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:00:45.738Z"}}], "cna": {"title": "BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "xenioushk", "product": "BWL Advanced FAQ Manager Lite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-13T08:10:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T14:13:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:52.764Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4075", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:52.764Z", "dateReserved": "2026-03-12T19:55:11.296Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T02:25:20.928Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin BWL Advanced FAQ Manager Lite para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del shortcode 'baf_sbox' en todas las versiones hasta la 1.1.1 inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos de shortcode proporcionados por el usuario, como 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg' y 'cont_ext_class'. Estos atributos se interpolan directamente en atributos de elementos HTML sin ning\u00fan escape esc_attr() en la funci\u00f3n baf_sbox(). Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-4075", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T04:17:12.120", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BWL Advanced FAQ Manager Lite", "source": "cna", "vendor": "xenioushk"}, "product": "bwl_advanced_faq_manager_lite", "vendor": "xenioushk"}], "analysis": {"en": {"generated_at": "2026-03-26T04:54:41.653877+00:00", "value": {"mitigation_remediation": ["Update BWL Advanced FAQ Manager Lite to the latest version that removes the vulnerability; if no update is available, disable the plugin or remove the shortcode from public pages.", "Restrict Contributor role permissions so users cannot edit or insert shortcodes containing the vulnerable attributes; alternatively, apply stricter role\u2011based access controls to prevent modification of shortcodes.", "Consider reviewing site content for stored malicious scripts and sanitizing or removing any suspicious attributes manually."], "summary": {"action": "Patch Immediately", "impact": "Stored XSS allowing arbitrary script execution"}, "threat_synthesis": {"affected_systems": "WordPress installations running BWL Advanced FAQ Manager Lite version 1.1.1 or earlier, distributed by xenioushk. Any site that embeds the affected shortcode on publicly accessible pages is vulnerable.", "description_and_impact": "The BWL Advanced FAQ Manager Lite WordPress plugin contains a stored cross\u2011site scripting flaw. The plugin\u2019s shortcode processes several user\u2011supplied attributes\u2014including sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, and cont_ext_class\u2014without applying proper sanitization or escaping, allowing an authenticated user with Contributor-level or higher privilege to inject malicious JavaScript. The injected script is stored and subsequently executed whenever a page containing the shortcode is rendered, enabling the attacker to deface the site, exfiltrate session data, or perform other client\u2011side attacks.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating moderate severity. No exploitation probability score is currently available, and the vulnerability is not included in the known exploited vulnerabilities catalog. Exploit requires an attacker to first obtain Contributor or higher level access to the WordPress site and then to inject malicious content via the shortcode attributes. Once stored, the payload is delivered to all users who view the affected page, making the compromise possible even to non\u2011authenticated visitors. The combination of authentication requirement and persistent injection provides a tangible but bounded risk to affected sites."}}}}, "created": "2026-03-26T11:30:42.752898+00:00", "updated": "2026-03-26T12:08:43.246307+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xenioushk", "xenioushk$PRODUCT$bwl_advanced_faq_manager_lite"]}