CVE-2026-1093 Overview
CVE-2026-1093 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPFAQBlock – FAQ & Accordion Plugin for Gutenberg, a WordPress plugin. The flaw exists in all versions up to and including 1.1. It affects the class parameter of the wpfaqblock shortcode, which fails to sanitize user-supplied input or escape output. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript into pages. The injected payload executes in any visitor's browser when the affected page loads. The issue is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Authenticated contributors can persistently inject JavaScript that executes against any site visitor, enabling session theft, account takeover, and content manipulation.
Affected Products
- WPFAQBlock – FAQ & Accordion Plugin For Gutenberg (WordPress plugin)
- All versions up to and including 1.1
- Vulnerable component: includes/templates/template-1.php
Discovery Timeline
- 2026-03-21 - CVE-2026-1093 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-1093
Vulnerability Analysis
The vulnerability stems from how the plugin processes shortcode attributes. The wpfaqblock shortcode accepts a class attribute intended to allow custom CSS classes on the rendered FAQ block. The plugin reflects this attribute directly into the rendered HTML output. The plugin neither sanitizes the input on save nor escapes the value on output. Any string supplied to class is embedded into a page-rendering template at includes/templates/template-1.php (line 10). An attacker can break out of the HTML attribute context and inject a script payload that persists with the post or page. The payload then executes for every user who loads the affected content. Because the attack is stored, no further interaction from the attacker is required after injection.
Root Cause
The plugin uses the value of the shortcode class attribute in template rendering without applying WordPress escaping functions such as esc_attr() or sanitization helpers like sanitize_html_class(). The template file inserts the attribute value directly into the HTML class attribute of a wrapper element. This concatenation of untrusted data into an HTML context is the classic [CWE-79] pattern.
Attack Vector
An attacker with at least Contributor permissions authors a post or page containing the wpfaqblock shortcode. The attacker supplies a malicious class attribute that closes the original HTML attribute and injects a <script> tag or an event handler such as onmouseover. When the post is rendered to any visitor, including administrators previewing the draft, the injected script executes in the visitor's browser session.
No verified public exploit code is available. See the Wordfence Vulnerability Report and the WordPress Plugin Template File for technical context.
Detection Methods for CVE-2026-1093
Indicators of Compromise
- Posts or pages containing the wpfaqblock shortcode with unusual characters in the class attribute, such as quotation marks, angle brackets, or on*= event handlers.
- Outbound browser requests from visitors to unfamiliar third-party domains after viewing pages containing FAQ blocks.
- New or modified wp_posts rows authored by Contributor-level accounts that include <script> fragments or HTML attribute breakouts.
Detection Strategies
- Query the WordPress database for post_content values containing wpfaqblock together with characters like ", <, or javascript: inside attribute values.
- Review web server access logs for HTTP requests serving pages that contain the shortcode and correlate with anomalous referrer or beaconing patterns.
- Inspect rendered page HTML for malformed class attributes or inline scripts not present in the site theme.
Monitoring Recommendations
- Audit Contributor and Author account activity, focusing on post creation and revision events.
- Enable WordPress audit logging to track shortcode usage and post content changes.
- Deploy a web application firewall rule that flags shortcode attributes containing HTML metacharacters.
How to Mitigate CVE-2026-1093
Immediate Actions Required
- Update the WPFAQBlock plugin to a patched version above 1.1 once the vendor publishes a fix; check the WordPress FAQ Block Plugin page for the latest release.
- Restrict Contributor-level and higher accounts to trusted users and review recently granted role assignments.
- Audit existing posts and pages for malicious wpfaqblock shortcode usage and remove injected payloads.
Patch Information
At the time of NVD publication, all versions up to and including 1.1 are vulnerable. Site administrators should monitor the WordPress FAQ Block Plugin repository and the Wordfence Vulnerability Report for an updated release that applies esc_attr() or sanitize_html_class() to the class shortcode attribute.
Workarounds
- Deactivate and remove the WPFAQBlock plugin until a patched version is released.
- Limit the unfiltered_html capability and avoid granting Contributor or higher roles to untrusted users.
- Add a web application firewall rule that blocks shortcode submissions where the class attribute contains characters such as <, >, or ".
# Disable the plugin from the command line using WP-CLI
wp plugin deactivate wpfaqblock
wp plugin delete wpfaqblock
# Search posts for suspicious shortcode usage
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%wpfaqblock%' AND post_content REGEXP 'class=\"[^\"]*[<>]';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
