Accordion & FAQ < 1.9.9 - Reflected XSS
Description
The Accordion & FAQ plugin for WordPress before 1.9.9 has a reflected XSS via unescaped generated URLs in notices.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Accordion & FAQ plugin for WordPress before 1.9.9 has a reflected XSS via unescaped generated URLs in notices.
Vulnerability
The Accordion & FAQ WordPress plugin (helpie-faq) versions before 1.9.9 fail to escape various generated URLs before outputting them in HTML attributes when certain notices are displayed. This leads to a reflected Cross-Site Scripting (XSS) vulnerability [1]. The affected versions are all prior to 1.9.9.
Exploitation
An attacker can craft a malicious URL containing a payload. When a user (e.g., an administrator) visits that URL, the plugin's notice generation outputs the unescaped URL in an attribute, causing the attacker's script to execute in the user's browser. No authentication is required, but the victim must click the crafted link.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The CVSS score is 5.8 (medium) [1].
Mitigation
The vulnerability is fixed in version 1.9.9 of the plugin [1]. Users should update to 1.9.9 or later immediately. No workarounds are mentioned in the reference.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.9.9+ 1 more
- (no CPE)range: <1.9.9
- (no CPE)range: <1.9.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin does not escape various generated URLs before outputting them in HTML attributes when displaying notices."
Attack vector
An attacker can craft a malicious URL containing JavaScript payloads in parameters that the plugin uses to generate URLs for admin notices. When a WordPress administrator visits the crafted link, the plugin outputs the unescaped URL in an HTML attribute, causing the injected script to execute in the victim's browser. This is a reflected Cross-Site Scripting (XSS) attack [CWE-79] that requires no authentication and can be triggered by luring an admin to the malicious link [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the Accordion & FAQ (helpie-faq) plugin for WordPress, affecting all versions before 1.9.9. The plugin fails to escape various generated URLs before outputting them in HTML attributes when certain notices are displayed [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.9.9 of the helpie-faq plugin [ref_id=1]. No patch diff is provided in the bundle. The fix presumably involves properly escaping generated URLs with WordPress escaping functions (such as esc_url()) before outputting them in HTML attributes, preventing injected JavaScript from being interpreted as code.
Preconditions
- configThe target site must be running the Accordion & FAQ (helpie-faq) plugin version prior to 1.9.9
- inputA WordPress administrator must visit a crafted URL containing the XSS payload
- authNo authentication is required for the attacker to deliver the malicious link
Reproduction
The advisory does not include a detailed proof of concept beyond stating the vulnerability class [ref_id=1]. No reproduction steps are available from the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/4e5d993f-cc20-4b5f-b4c8-c13004151828mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.