CVE-2026-1093 in WPFAQBlock Plugin
Summary
by MITRE • 03/21/2026
The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The WPFAQBlock plugin for WordPress represents a widely used tool for creating FAQ and accordion content blocks within the Gutenberg editor environment. This particular vulnerability affects all versions up to and including 1.1, making it a persistent threat across multiple plugin iterations. The vulnerability stems from inadequate input validation and output escaping mechanisms that fail to properly sanitize user-supplied data before processing. Attackers exploiting this flaw can leverage the 'class' parameter within the 'wpfaqblock' shortcode to inject malicious scripts that persist in the database, creating a stored cross-site scripting vector.
The technical implementation of this vulnerability resides in the plugin's handling of shortcode attributes without proper sanitization protocols. When the 'class' parameter is processed, the plugin fails to employ adequate escaping functions or validation checks that would normally prevent malicious input from being stored and subsequently executed. This weakness allows authenticated users with Contributor-level permissions or higher to craft malicious payloads that get stored in the WordPress database and executed whenever affected pages are accessed by any user, including administrators. The vulnerability operates at the intersection of improper input validation and output escaping, which are fundamental security principles outlined in CWE-79 - Cross-site Scripting.
From an operational standpoint, this vulnerability presents a significant risk to WordPress installations using the affected plugin. The low privilege requirement for exploitation means that attackers with minimal access can create persistent backdoors or data exfiltration mechanisms within the WordPress environment. The stored nature of the XSS vulnerability allows attackers to maintain access even after the initial compromise, as the malicious scripts remain embedded in the database and execute automatically when pages containing the compromised shortcode are loaded. This creates a persistent threat that can be leveraged for session hijacking, credential theft, or further privilege escalation within the WordPress installation.
The impact extends beyond simple script execution to encompass potential privilege escalation and data compromise scenarios. Attackers can craft malicious classes that redirect users to phishing sites, steal cookies, or inject additional malicious code into the WordPress admin interface. The vulnerability's presence in the Gutenberg editor context means that content creators and contributors who use the plugin are particularly at risk, as their input is not properly sanitized before being stored. Organizations should consider implementing immediate mitigations including plugin updates, input validation enforcement, and monitoring for suspicious shortcode usage patterns. The ATT&CK framework categorizes this vulnerability under T1059.001 - Command and Scripting Interpreter: PowerShell and T1566.001 - Phishing: Spearphishing Attachment, as it enables both automated script execution and social engineering through compromised content. Given the widespread use of WordPress and Gutenberg-based content management, this vulnerability represents a critical security concern requiring immediate attention and remediation across affected installations.