CVE-2026-4075

Name of the Vulnerable Software and Affected Versions BWL Advanced FAQ Manager Lite plugin for WordPress versions up to and including 1.1.1

Description The BWL Advanced FAQ Manager Lite plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is caused by inadequate input sanitization and output escaping of user-supplied shortcode attributes, specifically sbox id, sbox class, placeholder, highlight color, highlight bg, and cont ext class. These attributes are directly included in HTML element attributes without proper escaping within the baf sbox() function. Authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages, which will then execute when a user accesses those pages.

Recommendations Update the BWL Advanced FAQ Manager Lite plugin to a version newer than 1.1.1.