CVE-2026-8040

Vulnerability

The WordPress FAQ Shortcode plugin (versions up to and including 1.0) has a stored cross-site scripting vulnerability in the faq shortcode's 'color' attribute. The plugin fails to properly sanitize and escape user-supplied input in the color parameter, allowing arbitrary HTML and script injection. The vulnerable code is located in faq.php [1], [2] where shortcode attributes are directly output without escaping.

Exploitation

An attacker must have at least Contributor-level access to a WordPress site. The attacker creates or edits a post/page and inserts the [faq color=""] shortcode. When the shortcode is processed, the injected script is stored in the post content and executed in any visitor's browser upon viewing the page.

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary web scripts in the context of any user's browser. This can lead to session hijacking, credential theft, defacement, or other actions the victim user can perform. The scope is within the WordPress front-end and admin interfaces.

Mitigation

No patched version has been released for CVE-2026-8040 as of the publication date. Users should remove or disable the FAQ Shortcode plugin until a fixed version is provided. There is no known workaround other than disabling the plugin. The vulnerability is not currently listed on the CISA KEV.