We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: BWL Advanced FAQ Manager Lite Vulnerability (CVE-2026-4075)

Nick Paliughi
On this page

Security Alert Summary

The BWL Advanced FAQ Manager Lite plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the baf_sbox shortcode. Insufficient input sanitization and missing esc_attr() escaping on several shortcode attributes allow authenticated users with Contributor-level access or higher to inject scripts that execute when a page with the injected shortcode is viewed.

CVE Details

  • CVE ID: CVE-2026-4075
  • Affected component: BWL Advanced FAQ Manager Lite plugin for WordPress
  • Affected versions: all versions up to and including 1.1.1
  • Published: March 26, 2026 at 04:17:12 AM
  • Last modified: March 26, 2026 at 04:17:12 AM
  • CVSS v3.1: Base Score 6.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • Authentication / privileges / user interaction: Authentication required. Privileges required: LOW (Contributor-level access or higher). User interaction: NONE.
  • Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This vulnerability is a stored cross-site scripting issue in the plugin’s baf_sbox shortcode implementation. Several shortcode attributes — including sbox_id, sbox_class, placeholder, highlight_color, highlight_bg, and cont_ext_class — are taken from user-supplied input and interpolated directly into HTML element attributes without being passed through esc_attr() or equivalent escaping.

Because the values are stored and later rendered in page HTML, an authenticated user with Contributor-level privileges can include crafted attribute values that inject arbitrary script content. The injected scripts execute in the context of any user who views the affected page, consistent with stored XSS behavior. The root cause is insufficient input sanitization and missing output escaping in the plugin’s baf_sbox() code path.

How This Could Impact Your Website

In a realistic scenario, a site owner manages content and several team members contribute. An external contractor or an internal staff member with Contributor access could add or edit content that uses the vulnerable baf_sbox shortcode and include malicious attribute values. When other users (site editors, administrators, or visitors) view the page, injected scripts could run in their browsers.

Practical consequences include the exposure of user-specific data visible in the browser (for example, email addresses or other user-facing details), and an increased risk of targeted phishing or social engineering based on information collected via the injected scripts. The CVSS impacts indicate limited confidentiality and integrity impacts rather than direct loss of availability.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Monitor site activity and logs for unusual behavior, including unexpected content changes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Responsive Plus Plugin Vulnerability (CVE-2025-15488)
Next Post
WordPress Security Bulletin: Simple Download Counter Plugin Vulnerability (CVE-2026-4278)