Stored Cross-Site Scripting Vulnerability in Ultimate FAQ Accordion Plugin by WordPress
CVE-2026-4336

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ultimate Faq Accordion Plugin
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-4336?

The Ultimate FAQ Accordion plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate output sanitization. The vulnerability arises when the plugin retrieves FAQ content and uses the html_entity_decode() function, which translates HTML-encoded elements back into executable HTML without appropriate safety measures. This flaw allows authenticated users with Author-level access to inject harmful scripts into FAQ pages. When these pages are accessed by users, the injected scripts can execute, compromising the security of the site. The issue is exacerbated as the ufaq custom post type is registered with REST API access, making it easier for attackers to exploit the vulnerability.

Affected Version(s)

Ultimate FAQ Accordion Plugin 0 <= 2.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ultimate-faqs/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 17, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-4336 Data

JSON