The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Author can submit entity-encoded malicious HTML (e.g., <img src=x onerror=alert()>) which bypasses WordPress's kses sanitization at save time (since kses sees entities as plain text, not tags), but is then decoded back into executable HTML by html_entity_decode() at render time. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in FAQ pages that will execute whenever a user accesses an injected FAQ, either directly or via the [ultimate-faqs] shortcode.
The Ultimate FAQ Accordion WordPress plugin versions up to 2.4.7 contain a Stored XSS vulnerability where Author-level users can inject malicious scripts through FAQ content via the REST API. The vulnerability exists because the plugin decodes HTML entities without proper output escaping, allowing execution of arbitrary JavaScript in the context of site visitors.
يحتوي مكون Ultimate FAQ Accordion للإصدارات حتى 2.4.7 على ثغرة Stored XSS حيث يمكن لمستخدمي مستوى المؤلف حقن محتوى ضار عبر REST API. تنشأ الثغرة من استدعاء الدالة html_entity_decode() على محتوى المنشور دون تصفية مناسبة في دالة set_display_variables()، مما يسمح بتنفيذ HTML و JavaScript تعسفي.
Ultimate FAQ Accordion plugin for WordPress up to version 2.4.7 is vulnerable to Stored Cross-Site Scripting attacks where users with Author privileges can inject malicious code through FAQ content. The plugin improperly decodes HTML entities and fails to sanitize output, enabling arbitrary script execution on visitor browsers.
Immediately update the Ultimate FAQ Accordion plugin to version 2.4.8 or later. If immediate update is not possible, restrict Author-level REST API access to the ufaq post type via user role management. Review existing FAQ content for suspicious HTML entities or script patterns. Implement Web Application Firewall rules to detect and block entity-encoded XSS payloads in FAQ submissions.
قم بتحديث مكون Ultimate FAQ Accordion إلى الإصدار 2.4.8 أو أحدث فوراً. إذا لم يكن التحديث ممكناً، قيّد وصول المستخدمين من مستوى المؤلف إلى REST API لنوع المنشور ufaq. راجع محتوى الأسئلة الشائعة الموجودة للبحث عن أنماط HTML أو نصوص برمجية مريبة. طبّق قواعد جدار الحماية لتطبيقات الويب لكشف وحجب حمولات XSS المشفرة بالكيانات.