Platform
wordpress
Component
faq-builder-ays
Fixed in
1.8.3
CVE-2026-25346 describes a Cross-site Scripting (XSS) vulnerability within the FAQ Builder AYS WordPress plugin. This flaw allows attackers to inject malicious scripts due to improperly neutralized input during web page generation, specifically exploiting incorrectly configured access control security levels. The vulnerability impacts versions 0.0.0 through 1.8.2 of the plugin, and a patch is available in version 1.8.3.
Successful exploitation of CVE-2026-25346 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can lead to a variety of malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. The impact is particularly severe because XSS vulnerabilities often target authenticated users, granting attackers access to sensitive data and administrative functionalities. The attacker could potentially gain control of the entire WordPress site if they can exploit this vulnerability to escalate privileges.
CVE-2026-25346 was publicly disclosed on 2026-03-25. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation for CVE-2026-25346 is to immediately upgrade the FAQ Builder AYS plugin to version 1.8.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include strict input validation and output encoding on user-supplied data within the plugin's templates. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide a layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the plugin's input fields and confirming that it is properly sanitized.
Update to version 1.8.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25346 is a Cross-site Scripting (XSS) vulnerability in the FAQ Builder AYS WordPress plugin, allowing attackers to inject malicious scripts through incorrectly configured access controls.
You are affected if you are using FAQ Builder AYS versions 0.0.0 through 1.8.2. Upgrade to 1.8.3 or later to mitigate the risk.
Upgrade the FAQ Builder AYS plugin to version 1.8.3 or later. If immediate upgrade is not possible, implement temporary workarounds like input validation and WAF rules.
There is currently no indication of active exploitation campaigns targeting CVE-2026-25346, but vigilance is still advised.
Refer to the FAQ Builder AYS plugin documentation and website for the official advisory and release notes regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.