PatchSiren cyber security CVE debrief
CVE-2026-8040 yehudah CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in the FAQ Shortcode plugin for WordPress. The flaw resides in the 'color' attribute of the 'faq' shortcode, where insufficient input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts execute when any user accesses a page containing the injected shortcode. The vulnerability affects all versions up to and including 1.0. The CVSS 3.1 score of 6.4 reflects network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and low impacts to confidentiality and integrity.
- Vendor
- yehudah
- Product
- faq shortocde
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using the FAQ Shortcode plugin; security teams managing content management system (CMS) deployments; developers maintaining WordPress plugins with shortcode functionality.
Technical summary
The FAQ Shortcode plugin for WordPress fails to sanitize and escape the 'color' attribute in its [faq] shortcode. Authenticated users with Contributor or higher privileges can supply malicious JavaScript payloads through this attribute. When the shortcode is rendered on a page, the unsanitized attribute value is output directly, resulting in stored XSS execution for all subsequent page visitors. The vulnerability is present in faq.php line 65 across affected versions.
Defensive priority
medium
Recommended defensive actions
- Update the FAQ Shortcode plugin to a version newer than 1.0 when available, or remove the plugin if updates are not forthcoming.
- Implement least-privilege access controls; restrict Contributor and Author roles where possible until patching.
- Apply output encoding and context-aware sanitization for all shortcode attributes, particularly those accepting color or style values.
- Deploy a Web Application Firewall (WAF) rule to detect and block suspicious payloads in shortcode attributes.
- Review existing post and page content for unauthorized faq shortcode usage with unexpected color attribute values.
Evidence notes
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Source code analysis from the WordPress plugin repository confirms the affected code location in faq.php at line 65 in both the tagged 1.0 release and trunk versions.
Official resources
The vulnerability was disclosed on 2026-05-27. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.