CVE-2026-4336

Description

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.

References

• https://plugins.trac.wordpress.org/browser/ultimate-faqs/tags/2.4.7/ewd-ufaq-templates/faq-answer.php#L2
• https://plugins.trac.wordpress.org/browser/ultimate-faqs/tags/2.4.7/includes/CustomPostTypes.class.php#L84
• https://plugins.trac.wordpress.org/browser/ultimate-faqs/tags/2.4.7/views/View.FAQ.class.php#L746
• https://plugins.trac.wordpress.org/browser/ultimate-faqs/trunk/ewd-ufaq-templates/faq-answer.php#L2
• https://plugins.trac.wordpress.org/browser/ultimate-faqs/trunk/includes/CustomPostTypes.class.php#L84