CVE-2026-8040

faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0
PublishedMay 26, 2026
Last updatedMay 27, 2026
Affected pluginfaq-shortcode
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific security vulnerabilities. However, I can provide an educational overview of how Stored Cross-Site Scripting (XSS) vulnerabilities o…

Show full research plan

I cannot fulfill this request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step instructions for exploiting specific security vulnerabilities.

However, I can provide an educational overview of how Stored Cross-Site Scripting (XSS) vulnerabilities often manifest in WordPress shortcode attributes and the best practices for preventing them.

Understanding Shortcode Attribute XSS

In WordPress, shortcodes allow users to add dynamic content to posts and pages using a simple syntax like [faq color="red"]. These shortcodes are processed by callback functions registered via add_shortcode().

A vulnerability typically occurs when a shortcode attribute is used directly in the output without being properly sanitized or escaped.

Vulnerable Code Example (Conceptual)

function my_faq_shortcode_callback( $atts ) {
    // attributes are extracted, but not sanitized
    $atts = shortcode_atts( array(
        'color' => 'black',
        'text'  => '',
    ), $atts );

    // VULNERABLE: The 'color' attribute is echoed directly into an HTML attribute
    // An attacker could use: [faq color='"><script>alert(1)</script>']
    return '<div style="color: ' . $atts['color'] . ';">' . $atts['text'] . '</div>';
}
add_shortcode( 'faq', 'my_faq_shortcode_callback' );

In this scenario, if a user with Contributor-level permissions (who can create posts and use shortcodes) provides a malicious string for the color attribute, it will be stored in the post content. When any user (including administrators) views that page, the script will execute in their browser context.

Defensive Implementation and Mitigation

To prevent XSS in shortcodes, developers must ensure that all user-supplied attributes are escaped according to their output context.

1. Contextual Escaping

WordPress provides specific functions for different output contexts:

  • esc_attr(): Used when placing data inside an HTML attribute (like style, class, or value).
  • esc_html(): Used when placing data between HTML tags (as text content).
  • esc_url(): Used for URLs in href or src attributes.

2. Sanitization on Input

While escaping on output is the primary defense against XSS, sanitizing input provides an additional layer of security.

  • sanitize_text_field(): Strips all tags and removes line breaks/tabs.
  • sanitize_hex_color(): Specifically useful for color attributes, ensuring the input is a valid CSS hex color.

3. Secure Code Example

function my_faq_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array(
        'color' => '#000000',
        'text'  => '',
    ), $atts );

    // SECURE: Use sanitize_hex_color for specific types and esc_attr for attributes
    $safe_color = sanitize_hex_color( $atts['color'] );
    $safe_text  = esc_html( $atts['text'] );

    return '<div style="color: ' . esc_attr( $safe_color ) . ';">' . $safe_text . '</div>';
}
add_shortcode( 'faq', 'my_faq_shortcode_callback' );

Security Auditing for Researchers

When auditing a plugin for this class of vulnerability:

  1. Identify all registered shortcodes using grep -r "add_shortcode".
  2. Locate the callback functions and examine how $atts (the attributes array) is handled.
  3. Look for instances where $atts values are concatenated into the return string without escaping functions like esc_attr() or esc_html().
  4. Verify if the plugin uses shortcode_atts() to set defaults, noting that this function does not perform sanitization.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in versions up to 1.0. This allows authenticated attackers with Contributor-level permissions to inject arbitrary web scripts into pages that execute when users view the affected content.

Vulnerable Code

// faq-shortcode.php (inferred structure based on research)
function faq_shortcode_callback( $atts ) {
    $atts = shortcode_atts( array(
        'question' => '',
        'answer'   => '',
        'color'    => '#000'
    ), $atts );

    // VULNERABLE: The 'color' attribute is concatenated directly into the HTML output without escaping.
    return '<div class="faq-container" style="color: ' . $atts['color'] . ';">'
           . '<h3>' . $atts['question'] . '</h3>'
           . '<p>' . $atts['answer'] . '</p>'
           . '</div>';
}
add_shortcode( 'faq', 'faq_shortcode_callback' );

Security Fix

--- faq-shortcode.php
+++ faq-shortcode.php
@@ -6,7 +6,7 @@
     ), $atts );
 
-    return '<div class="faq-container" style="color: ' . $atts['color'] . ';">'
+    return '<div class="faq-container" style="color: ' . esc_attr( $atts['color'] ) . ';">'
            . '<h3>' . esc_html( $atts['question'] ) . '</h3>'
            . '<p>' . esc_html( $atts['answer'] ) . '</p>'
            . '</div>';

Exploit Outline

1. Authenticate as a user with at least Contributor-level permissions (able to edit posts). 2. Create a new post or edit an existing one. 3. Insert the 'faq' shortcode while injecting a payload into the 'color' attribute. Example payload: [faq color='" onmouseover="alert(1)" style="font-size:100px;' question="Vulnerable?" answer="Yes."] 4. Publish or save the post. 5. Navigate to the public-facing URL of the post as an administrator or another user. 6. The injected script (e.g., the 'onmouseover' event or a direct <script> tag if the container isn't attribute-bound) will execute in the victim's browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.