Stored Cross-Site Scripting in BWL Advanced FAQ Manager Lite Plugin for WordPress
CVE-2026-4075

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Bwl Advanced Faq Manager Lite
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-4075?

The BWL Advanced FAQ Manager Lite plugin for WordPress is affected by a vulnerability that allows authenticated users with Contributor-level access and above to exploit insufficient input sanitization and output escaping. This occurs through the 'baf_sbox' shortcode, which improperly handles user-supplied attributes like 'sbox_id' and 'sbox_class'. As a result, attackers can inject arbitrary web scripts into pages, which will execute whenever a user accesses the compromised page, posing serious security risks to site visitors.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

BWL Advanced FAQ Manager Lite * <= 1.1.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bwl-advanced-f...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Muhammad Yudha - DJ

JSON

WordPress