CVE-2025-8686

The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.0.5. The vulnerability resides in the WP_EASY_FAQ shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This lack of input validation and output escaping allows malicious HTML and JavaScript to be stored in the WordPress database [1][2].

An authenticated attacker with at least author-level access can exploit this by crafting a post or page containing the vulnerable shortcode with malicious attribute values. When any user—including administrators—visits the affected page, the injected script executes in their browser. No additional privileges or user interaction beyond viewing the page are required [1].

Successful exploitation enables arbitrary script execution in the victim's browser session. This can lead to session cookie theft, account takeover, website defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the WordPress installation [2].

As of the publication date, no patched version has been released. Users are advised to disable the plugin or apply strict content controls until an update is available. The vulnerability has been assigned a CVSS v3 score of 6.4 (Medium) [1].