Plattform
wordpress
Komponente
faq-builder-ays
Behoben in
1.8.3
CVE-2026-25346 describes a Cross-site Scripting (XSS) vulnerability within the FAQ Builder AYS WordPress plugin. This flaw allows attackers to inject malicious scripts due to improperly neutralized input during web page generation, specifically exploiting incorrectly configured access control security levels. The vulnerability impacts versions 0.0.0 through 1.8.2 of the plugin, and a patch is available in version 1.8.3.
Successful exploitation of CVE-2026-25346 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can lead to a variety of malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. The impact is particularly severe because XSS vulnerabilities often target authenticated users, granting attackers access to sensitive data and administrative functionalities. The attacker could potentially gain control of the entire WordPress site if they can exploit this vulnerability to escalate privileges.
CVE-2026-25346 was publicly disclosed on 2026-03-25. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the FAQ Builder AYS plugin, particularly those with user-generated content or forms, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites using the plugin.
• wordpress / composer / npm:
grep -r '<script>alert('XSS')</script>' /var/www/html/wp-content/plugins/faq-builder-ays/• wordpress / composer / npm:
wp plugin list --status=active | grep faq-builder-ays• wordpress / composer / npm:
wp plugin update faq-builder-ays --alldisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-25346 is to immediately upgrade the FAQ Builder AYS plugin to version 1.8.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include strict input validation and output encoding on user-supplied data within the plugin's templates. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the plugin's input fields and confirming that it is properly sanitized.
Update to version 1.8.3, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25346 is a Cross-site Scripting (XSS) vulnerability in the FAQ Builder AYS WordPress plugin, allowing attackers to inject malicious scripts through incorrectly configured access controls.
You are affected if you are using FAQ Builder AYS versions 0.0.0 through 1.8.2. Upgrade to 1.8.3 or later to mitigate the risk.
Upgrade the FAQ Builder AYS plugin to version 1.8.3 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
There is currently no indication of active exploitation campaigns targeting CVE-2026-25346, but vigilance is still advised.
Refer to the FAQ Builder AYS plugin documentation and website for the official advisory and release notes regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.