Vulnerabilities ›

CVE-2026-8040

Medium

CWE-79 — Weakness Type

                    Published: May 27, 2026                      ·  Modified: May 30, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The FAQ Shortcode WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'color' attribute of the 'faq' shortcode, affecting all versions up to 1.0. Authenticated users with Contributor-level access can inject malicious scripts that execute for all page visitors. While no patch is currently available and exploit code is not public, this vulnerability poses a significant risk to WordPress installations used by Saudi organizations, particularly those managing public-facing content.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 27, 2026 10:48

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations using WordPress for content management, including: Government agencies and municipalities managing public information portals; Educational institutions (universities, schools) publishing FAQs and course materials; Healthcare providers (hospitals, clinics) displaying patient information; Financial services and banking sector websites; E-commerce platforms and retail businesses; Media and news organizations. The risk is elevated for organizations with multiple content contributors or outsourced content management, as the attack requires only Contributor-level access. Compromised pages could lead to credential theft, malware distribution, or defacement of official government and institutional websites.

🏢 Affected Saudi Sectors

Government and Public Administration Education (Universities and Schools) Healthcare and Medical Services Banking and Financial Services E-commerce and Retail Media and News Organizations Telecommunications Energy and Utilities

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing (via compromised page content) T1059 - Command and Scripting Interpreter (JavaScript execution) T1539 - Steal Web Session Cookie T1056 - Input Capture (credential harvesting via injected forms)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations using the FAQ Shortcode plugin across your organization

2. Review user access logs for Contributor-level and above accounts to identify suspicious activity

3. Inspect all pages/posts using the [faq] shortcode for injected scripts in the 'color' attribute

4. Disable the FAQ Shortcode plugin immediately if not actively used

PATCHING GUIDANCE:

1. Monitor the plugin repository for security updates (currently no patch available)

2. Contact the plugin developer requesting urgent security patch

3. Consider switching to alternative FAQ plugins with active security maintenance

4. If plugin is critical, implement code-level fixes by sanitizing the 'color' attribute using sanitize_text_field() and escaping output with esc_attr()

COMPENSATING CONTROLS:

1. Restrict Contributor-level access to trusted personnel only; use Editor or Author roles where possible

2. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in shortcode attributes

3. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection capabilities

4. Implement Content Security Policy (CSP) headers to prevent inline script execution

5. Regular security audits of all active plugins and user permissions

DETECTION RULES:

1. Monitor database for [faq] shortcodes containing script tags or event handlers in 'color' attribute

2. Log all modifications to posts/pages containing FAQ shortcodes

3. Alert on any Contributor+ user creating/modifying content with suspicious shortcode attributes

4. Implement SIEM rules to detect XSS patterns in WordPress post_content table

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون FAQ Shortcode عبر مؤسستك

2. مراجعة سجلات الوصول للمستخدمين بمستوى المساهم وما فوقه لتحديد النشاط المريب

3. فحص جميع الصفحات/المنشورات التي تستخدم اختصار [faq] للبحث عن نصوص برمجية مُحقونة في خاصية 'color'

4. تعطيل مكون FAQ Shortcode فوراً إذا لم يكن قيد الاستخدام النشط

إرشادات التصحيح:

1. مراقبة مستودع المكون للتحديثات الأمنية (لا يوجد تصحيح متاح حالياً)

2. التواصل مع مطور المكون لطلب تصحيح أمني عاجل

3. النظر في التبديل إلى مكونات FAQ بديلة ذات صيانة أمنية نشطة

4. إذا كان المكون حرجاً، قم بتطبيق إصلاحات على مستوى الكود بتنظيف خاصية 'color' باستخدام sanitize_text_field() وتجنب الإخراج باستخدام esc_attr()

الضوابط التعويضية:

1. تقييد الوصول بمستوى المساهم للموظفين الموثوقين فقط؛ استخدم أدوار المحرر أو المؤلف حيث أمكن

2. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في خصائص الاختصار

3. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع قدرات الكشف عن XSS

4. تطبيق رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ النصوص البرمجية المضمنة

5. عمليات تدقيق أمنية منتظمة لجميع المكونات النشطة والأذونات

قواعد الكشف:

1. مراقبة قاعدة البيانات للبحث عن اختصارات [faq] تحتوي على علامات نصية برمجية أو معالجات أحداث في خاصية 'color'

2. تسجيل جميع التعديلات على المنشورات/الصفحات التي تحتوي على اختصارات FAQ

3. التنبيه على أي مستخدم بمستوى المساهم+ ينشئ/يعدل محتوى بخصائص اختصار مريبة

4. تطبيق قواعد SIEM للكشف عن أنماط XSS في جدول post_content في WordPress

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements in supplier relationships (plugin security) ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Secure development policy

🔵 SAMA CSF

SAMA CSF 2.1 - Governance and Risk Management (vulnerability management) SAMA CSF 3.2 - Technical Security Controls (application security) SAMA CSF 3.3 - Access Control (user privilege management) SAMA CSF 4.1 - Detection and Response (XSS detection)

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Secure development policy ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Supplier security requirements ISO 27001:2022 A.8.3.1 - User access provisioning

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches for all system components PCI DSS 6.5.7 - Cross-site scripting prevention PCI DSS 7.1 - Limit access to system components by business need

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/faq-shortcode/tags/1.0/faq.php#L65

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/faq-shortcode/trunk/faq.php#L65

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/ef6ce2ef-f810-4f8c-a0bd-785a2...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8040

Introduce Yourself

Sign In Required