Vulnerabilities and security researches forfaq-builder-ays faq-builder-ays

Jun 06, 2024

CVE, Research URL: CVE-2021-24461
Home page URL: Security reports for FAQ Builder AYS
Application: FAQ Builder AYS
Date: Aug 02, 2021
Research Description: The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
Affected versions: max 1.3.6.
Status: vulnerable

Nov 29, 2024

CVE, Research URL: CVE-2024-11458
Home page URL: Security reports for FAQ Builder AYS
Application: FAQ Builder AYS
Date: Nov 28, 2024
Research Description: The FAQ Builder AYS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ays_faq_tab' parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 1.7.2.
Status: vulnerable

Jan 25, 2025

CVE, Research URL: CVE-2025-24722
Home page URL: Security reports for FAQ Builder AYS
Application: FAQ Builder AYS
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in F.A.Q Builder Team FAQ Builder AYS allows Stored XSS. This issue affects FAQ Builder AYS: from n/a through 1.7.3.
Affected versions: max 1.7.4.
Status: vulnerable

Mar 29, 2026

CVE, Research URL: CVE-2026-25346
Home page URL: Security reports for FAQ Builder AYS
Application: FAQ Builder AYS
Date: Mar 25, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAQ Builder AYS: from n/a through <= 1.8.2.
Affected versions: max 1.8.2.
Status: vulnerable