CYBERDUDEBIVASH PVT LTD

CYBERBIVASH

SENTINEL APEX THREAT INTEL
cyberdudebivash.com ↗
CVE Advisory CVE Analysis CyberDudeBivash MEDIUM Sentinel APEX Threat Intelligence TLP:GREEN

CVE-2026-4075 - BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute

TLP:GREEN // CDB-GOC CVE INTELLIGENCE ADVISORY // SENTINEL APEX v30.0
Report ID: CDB-CVE-2026-0326-39D8F3  |  Classification: TLP:GREEN  |  Published: 2026-03-26 05:48:06 UTC
Prepared By: CyberDudeBivash Global Operations Center (GOC)  |  Report Type: CVE Intelligence Advisory -- NVD-Verified  |  Distribution: SOC / Enterprise / Executive
MEDIUM TLP:GREEN CVSS 6.4 [OK] NVD-VERIFIED [!] PATCH STATUS UNKNOWN [!] Vulnerability Disclosure

CYBERDUDEBIVASH SENTINEL APEX(TM) // CVE THREAT INTELLIGENCE ADVISORY

CVE-2026-4075: The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' s

NVD-Verified Intelligence Advisory -- CyberDudeBivash Sentinel APEX(TM) | All technical claims verified against NIST NVD, CERT/CC, and official vendor references.

1. EXECUTIVE SUMMARY

[OK] VERIFIED INTELLIGENCE

CVE-2026-4075 is a MEDIUM-severity vulnerability published on March 26, 2026 with a CVSS 3.1 base score of 6.4/10.0. The vulnerability is classified under CWE-79 (Cross-site Scripting (XSS)). Web-facing application surfaces are in scope.

Vulnerability Summary (NVD-Verified)

The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key Metrics at a Glance

AttributeValueSource
CVE ID CVE-2026-4075 NIST NVD
CVSS Base Score 6.4/10.0 (MEDIUM) NVD CVSS 3.1
Weakness Class CWE-79 NVD / MITRE CWE
NVD Status Received NIST NVD
Published March 26, 2026 NIST NVD
Last Modified March 26, 2026 NIST NVD
Intelligence Confidence Medium -- NVD entry received, awaiting full analysis. Consult vendor advisory for confirmation. CDB-GOC Assessment

Business Risk Implications: Organizations running internet-facing The BWL Advanced FAQ Manager Lite plugin for WordPress deployments are at risk. An attacker can exploit this vulnerability with low-privilege credentials. Cross-site scripting enables session hijacking and credential theft from The BWL Advanced FAQ Manager Lite plugin for WordPress users. Apply vendor patch within your scheduled maintenance window. Consult the vendor advisory in Section 9 for affected versions and patch instructions.

2. VULNERABILITY OVERVIEW

CVSS Vector Analysis

CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

MetricInterpretation
Attack Vector The vulnerability is exploitable remotely over a network without requiring physical access or local presence.
Attack Complexity No specialized conditions are required -- exploitation can be automated and repeated reliably.
Privileges Required Exploitation requires basic authenticated access (standard user privilege level).
User Interaction Exploitation does not require any user interaction -- attacks can be fully automated.
Confidentiality Impact Limited impact -- partial disclosure or modification possible
Integrity Impact Limited impact -- partial disclosure or modification possible
Availability Impact No impact

Weakness Classification

[OK] MITRE CWE / NVD VERIFIED
CWE IDNameClass
CWE-79 Cross-site Scripting (XSS) Injection

CWE-79 -- Technical Context

The software does not neutralize user-controllable input before it is placed in output as web page content.

OWASP Category: A03:2021 - Injection

3. VERIFIED TECHNICAL DETAILS

[OK] NVD AUTHORITATIVE DESCRIPTION

NVD Official Description:

The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Source: NIST National Vulnerability Database | Status: Received | Last Modified: March 26, 2026

Affected Products and Versions

[OK] NVD DESCRIPTION DERIVED

Affected versions are described in the official NVD entry: CVE-2026-4075. Consult the NVD reference and vendor advisory links in Section 9 for the authoritative affected version list.

From NVD description: The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbo...

Vulnerability Mechanism (From Verified Description)

The following technical analysis is derived exclusively from the NVD description, associated CWE classification (CWE-79), and CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). No additional attack scenarios have been extrapolated beyond the verified vulnerability scope.

CVSS Exploitability Profile

[OK] NVD CVSS 3.1 VERIFIED
ParameterValue
Base Score 6.4 (MEDIUM)
Exploitability Score 3.1/3.9
Impact Score 2.7/5.9
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

[!] Scope Boundary: The technical analysis above is confined to the verified vulnerability scope as disclosed in the NVD entry. Claims regarding malware, firmware compromise, process injection, credential interception, OTP theft, supply chain attacks, or any attack technique not directly described in the NVD entry are outside the verified scope of this vulnerability and are not asserted in this report.

4. RESEARCHER ATTRIBUTION

Researcher attribution data is not available in the NVD entry for CVE-2026-4075 at the time of this report's generation. CYBERDUDEBIVASH Sentinel APEX(TM) will update this section if attribution information becomes available via NVD, CERT/CC, or researcher public disclosure.

5. SECURITY IMPLICATIONS

[i] SECURITY IMPLICATIONS -- Derived from Verified Facts

The following implications follow logically from the verified vulnerability facts. These represent the realistic security consequences of the vulnerability as disclosed. They are not extrapolated attack scenarios.

Direct Security Consequences

  • Client-side script execution in the user's browser context is possible.

Attack Surface Assessment

The vulnerability is exploitable remotely over a network without requiring physical access or local presence. Exploitation requires basic authenticated access (standard user privilege level). Exploitation does not require any user interaction -- attacks can be fully automated.

Affected Population

Based on the verified technical scope, the following user populations are affected:

  • Organizations running affected versions of the software described in the NVD entry
  • Users or administrators with access to the affected component or endpoint
  • Systems where the affected software is internet-facing or accessible by untrusted users

Consult the NVD entry and vendor advisory for the definitive list of affected versions. Systems that have applied the vendor patch or mitigation are not affected.

6. THREAT INTELLIGENCE CONTEXT

[!] THREAT INTELLIGENCE HYPOTHESIS -- Analytical Speculation

The scenarios below are analytical hypotheses derived from the vulnerability class, CVSS characteristics, and threat landscape context. They are not confirmed exploitation reports. They represent plausible -- but unverified -- threat scenarios that security teams may wish to consider in their risk modeling.

Potential Abuse Scenario: Based on the CVSS vector and CWE classification, threat actors aware of this vulnerability may attempt exploitation in targeted attack chains. Organizations should monitor for indicators consistent with the exploitation techniques described in the MITRE ATT&CK mapping in the Detection section.

These scenarios are analytical hypotheses based on the vulnerability class and CVSS characteristics. No active exploitation campaigns have been confirmed in public reporting at the time of this advisory.

Note: The vulnerability itself does not directly implement malware functionality. However, similar technical weaknesses can sometimes contribute to broader attack chains when combined with other techniques. Any such scenarios are speculative and clearly labeled as hypotheses in this advisory.

7. DETECTION OPPORTUNITIES

Detection strategies should be tailored to the vulnerability class (CWE-79). Consult the MITRE ATT&CK techniques in the table below for specific detection opportunities aligned to the threat model.

MITRE ATT&CK Technique Mapping (CWE-Verified)

[OK] CWE -> ATT&CK MAPPING
Technique ID Name Tactic Relevance to CVE-2026-4075
T1059.007 JavaScript Execution Execution XSS enables client-side script execution.

Sigma Rule (SIEM-Agnostic)

Deploy to Microsoft Sentinel, Splunk, Elastic, or any Sigma-compatible platform. Rule scope is aligned to the actual vulnerability class, not a generic campaign template.

title: Potential XSS Exploitation Attempt -- CVE-2026-4075 id: cdb-cve_2026_4075-sigma-001 status: experimental description: Detects HTTP requests containing common XSS payloads targeting CVE-2026-4075. references: - https://nvd.nist.gov/vuln/detail/CVE-2026-4075 author: CyberDudeBivash Sentinel APEX(TM) GOC date: 2026/03/26 tags: - attack.initial_access - attack.t1059.007 - cve.cve_2026_4075 logsource: category: webserver detection: selection: http.uri|contains: - 'YARA Rule (Endpoint / Binary Analysis)

Scoped to the vulnerability class (CWE-79). Apply to application binaries and memory forensics relevant to the affected component.

/* YARA Rule: CVE-2026-4075 Description: Generic vulnerability class detection for CVE-2026-4075 (CWE-79) Author: CyberDudeBivash Sentinel APEX(TM) GOC Date: 2026-03-26 Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-4075 */ rule CVE_2026_4075_generic_vuln_indicator { meta: cve = "CVE-2026-4075" cwe = "CWE-79" description = "Vulnerability artifact indicator for CVE-2026-4075" author = "CyberDudeBivash Sentinel APEX v44.0" date = "2026-03-26" reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-4075" severity = "REVIEW" context = "Vulnerability detection -- consult NVD for precise scope" strings: $cve_ref = "CVE-2026-4075" ascii nocase $nvd_ref = "nvd.nist.gov" ascii condition: any of ($*) }

8. DEFENSIVE RECOMMENDATIONS

The following recommendations are scoped to the verified vulnerability and its actual security impact. Generic security hardening guidance is provided where relevant but clearly distinguished from vulnerability-specific actions.

Vulnerability-Specific Actions (Primary)

  • Immediate -- Apply Vendor Patches: Deploy all patches referenced in the NVD entry for CVE-2026-4075 immediately. Prioritize internet-facing systems and those with public accessibility.
  • Web Application Firewall: Implement WAF rules targeting the injection pattern class identified in the NVD description.
  • Input Validation Audit: Review all user-supplied input handling in the affected application for similar weaknesses.

General Hardening (Secondary)

  • Asset Inventory: Maintain an up-to-date inventory of all deployed application versions to enable rapid identification of exposure when new CVEs are published.
  • Vulnerability Management Program: Cross-reference CVE-2026-4075 against your vulnerability management platform and CISA's Known Exploited Vulnerabilities (KEV) catalog. Adjust patch priority based on your organization's threat exposure.
  • Patch Testing Pipeline: Establish a tested patch deployment workflow that enables critical patches to reach production within 24-72 hours of vendor release.

9. REFERENCES

[OK] AUTHORITATIVE SOURCES
Source Reference URL Type
NVD https://nvd.nist.gov/vuln/detail/CVE-2026-4075 Primary -- NVD Official Entry
1 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L46
2 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L73
3 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/tags/1.1.1/includes/shortcodes/baf_faq_list.php#L75
4 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L46
5 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L73
6 https://plugins.trac.wordpress.org/browser/bwl-advanced-faq-manager-lite/trunk/includes/shortcodes/baf_faq_list.php#L75
7 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3487104%40bwl-advanced-faq-manager-lite&new=3487104%40bwl-advanced-faq-manager-lite&sfp_email=&sfph_mail=
8 https://www.wordfence.com/threat-intel/vulnerabilities/id/ef01f05a-ed5a-4278-acab-029c58242cf2?source=cve

All references above are sourced from the NIST National Vulnerability Database entry for CVE-2026-4075. Security teams should consult these primary sources directly for the most current information.

10. INTELLIGENCE CONFIDENCE ASSESSMENT

Signal Factor Confidence Notes
[OK] CVSS 3.1 Score Available HIGH Quantitative risk metric confirmed
[OK] CWE Classification Confirmed HIGH Weakness class verified by NVD
[OK] 8 Reference(s) Available HIGH Vendor and third-party sources linked in NVD
[i] CISA KEV Status N/A Not confirmed in CISA Known Exploited Vulnerabilities catalog at time of report generation
-> OVERALL INTELLIGENCE CONFIDENCE MEDIUM Partial NVD verification. Consult vendor advisories for additional confirmation.

Methodology Transparency

This report was generated by the CYBERDUDEBIVASH Sentinel APEX(TM) CVE-Verified Report Engine v44.0. All technical claims are sourced exclusively from: (1) the NIST National Vulnerability Database REST API v2 (CVE-2026-4075), (2) CWE/MITRE classification data, and (3) CVSS vector mechanical interpretation. No keyword-driven narrative templates, machine learning content generation, or speculative attack chain injection were used in producing the verified sections (Sections 1-5) of this report.

Section 6 (Threat Intelligence Context) is explicitly labeled as analytical hypothesis and is clearly separated from verified intelligence throughout the report.

CYBERDUDEBIVASH SENTINEL APEX(TM)

Global Threat Intelligence Platform

(C) CyberDudeBivash Pvt. Ltd. | Bhubaneswar, Odisha, India

Report ID: CDB-CVE-2026-0326-39D8F3 | Generated: 2026-03-26 05:48:06 UTC

This advisory is produced for defensive intelligence purposes. All claims verified against NIST NVD. Distribution: TLP:CLEAR.

▸▸ LATEST THREAT ADVISORIES
⎯⎯⎯ NAVIGATE INTELLIGENCE REPORTS ⎯⎯⎯
■ LOADING NAVIGATION...