Search criteria
16 vulnerabilities found for Accordion by PickPlugins
CVE-2025-53421 (GCVE-0-2025-53421)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:32 – Updated: 2025-12-03 15:24
VLAI?
Title
WordPress Accordion plugin <= 2.3.14 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Severity ?
6.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ <= 2.3.14
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T13:47:18.454265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T15:24:53.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"changes": [
{
"at": "2.3.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 2.3.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"datePublic": "2025-10-22T15:51:50.474Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Accordion: from n/a through \u003c= 2.3.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through \u003c= 2.3.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:42.371Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-14-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress Accordion plugin \u003c= 2.3.14 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53421",
"datePublished": "2025-10-22T14:32:32.545Z",
"dateReserved": "2025-06-30T10:46:02.700Z",
"dateUpdated": "2025-12-03T15:24:53.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58678 (GCVE-0-2025-58678)
Vulnerability from cvelistv5 – Published: 2025-09-22 18:22 – Updated: 2025-09-23 14:12
VLAI?
Title
WordPress Accordion Plugin <= 2.3.14 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.3.14
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T13:59:18.177446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T14:12:56.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThanOrEqual": "2.3.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Accordion: from n/a through 2.3.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:22:49.836Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-14-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion Plugin \u003c= 2.3.14 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58678",
"datePublished": "2025-09-22T18:22:49.836Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2025-09-23T14:12:56.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32143 (GCVE-0-2025-32143)
Vulnerability from cvelistv5 – Published: 2025-04-11 08:42 – Updated: 2025-04-11 15:11
VLAI?
Title
WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.3.10
(custom)
|
Credits
LVT-tholv2k (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:11:14.312494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:11:39.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThanOrEqual": "2.3.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LVT-tholv2k (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection.\u003c/p\u003e\u003cp\u003eThis issue affects Accordion: from n/a through 2.3.10.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T08:42:51.243Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion plugin \u003c= 2.3.10 - PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32143",
"datePublished": "2025-04-11T08:42:51.243Z",
"dateReserved": "2025-04-04T10:00:50.063Z",
"dateUpdated": "2025-04-11T15:11:39.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47342 (GCVE-0-2024-47342)
Vulnerability from cvelistv5 – Published: 2024-10-06 10:48 – Updated: 2024-10-07 13:12
VLAI?
Title
WordPress Accordion plugin <= 2.2.99 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Accordion accordions allows Stored XSS.This issue affects Accordion: from n/a through 2.2.99.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.2.99
(custom)
|
Credits
Robert DeVore (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T13:11:58.626671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T13:12:12.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"changes": [
{
"at": "2.2.100",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.99",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Robert DeVore (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in PickPlugins Accordion accordions allows Stored XSS.\u003cp\u003eThis issue affects Accordion: from n/a through 2.2.99.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in PickPlugins Accordion accordions allows Stored XSS.This issue affects Accordion: from n/a through 2.2.99."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-06T10:48:08.548Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/accordions/wordpress-accordion-plugin-2-2-99-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.2.100 or a higher version."
}
],
"value": "Update to 2.2.100 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion plugin \u003c= 2.2.99 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47342",
"datePublished": "2024-10-06T10:48:08.548Z",
"dateReserved": "2024-09-24T13:01:03.948Z",
"dateUpdated": "2024-10-07T13:12:12.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1641 (GCVE-0-2024-1641)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:58 – Updated: 2024-08-01 18:48
VLAI?
Summary
The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Accordion |
Affected:
* , ≤ 2.2.96
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:40:09.995950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:11.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e7c70-4d07-4550-9cf8-5135b87b67ca?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/accordions/tags/2.2.96/includes/duplicate-post.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/accordions/tags/2.2.96\u0026old=3050599\u0026new_path=/accordions/tags/2.2.97\u0026new=3050599\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.96",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the \u0027accordions_duplicate_post_as_draft\u0027 function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:58:32.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e7c70-4d07-4550-9cf8-5135b87b67ca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accordions/tags/2.2.96/includes/duplicate-post.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/accordions/tags/2.2.96\u0026old=3050599\u0026new_path=/accordions/tags/2.2.97\u0026new=3050599\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-13T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1641",
"datePublished": "2024-04-09T18:58:32.158Z",
"dateReserved": "2024-02-19T20:15:43.992Z",
"dateUpdated": "2024-08-01T18:48:21.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24283 (GCVE-0-2021-24283)
Vulnerability from cvelistv5 – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI?
Title
Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)
Summary
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
2.2.30 , < 2.2.30
(custom)
|
Credits
iohex
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThan": "2.2.30",
"status": "affected",
"version": "2.2.30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "iohex"
}
],
"descriptions": [
{
"lang": "en",
"value": "The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Accordion \u003c 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24283",
"STATE": "PUBLIC",
"TITLE": "Accordion \u003c 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accordion",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.30",
"version_value": "2.2.30"
}
]
}
}
]
},
"vendor_name": "PickPlugins"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "iohex"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24283",
"datePublished": "2021-05-14T11:38:17",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13644 (GCVE-0-2020-13644)
Vulnerability from cvelistv5 – Published: 2020-05-28 03:11 – Updated: 2024-08-04 12:25
VLAI?
Summary
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-28T03:11:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13644",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"name": "https://wordpress.org/plugins/accordions/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/accordions/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13644",
"datePublished": "2020-05-28T03:11:33",
"dateReserved": "2020-05-27T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53421 (GCVE-0-2025-53421)
Vulnerability from nvd – Published: 2025-10-22 14:32 – Updated: 2025-12-03 15:24
VLAI?
Title
WordPress Accordion plugin <= 2.3.14 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Severity ?
6.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ <= 2.3.14
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T13:47:18.454265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T15:24:53.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"changes": [
{
"at": "2.3.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 2.3.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"datePublic": "2025-10-22T15:51:50.474Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Accordion: from n/a through \u003c= 2.3.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through \u003c= 2.3.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:42.371Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-14-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress Accordion plugin \u003c= 2.3.14 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53421",
"datePublished": "2025-10-22T14:32:32.545Z",
"dateReserved": "2025-06-30T10:46:02.700Z",
"dateUpdated": "2025-12-03T15:24:53.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58678 (GCVE-0-2025-58678)
Vulnerability from nvd – Published: 2025-09-22 18:22 – Updated: 2025-09-23 14:12
VLAI?
Title
WordPress Accordion Plugin <= 2.3.14 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.3.14
(custom)
|
Credits
Abu Hurayra (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58678",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T13:59:18.177446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T14:12:56.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThanOrEqual": "2.3.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abu Hurayra (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Accordion: from n/a through 2.3.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T18:22:49.836Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-14-broken-access-control-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion Plugin \u003c= 2.3.14 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58678",
"datePublished": "2025-09-22T18:22:49.836Z",
"dateReserved": "2025-09-03T09:03:46.831Z",
"dateUpdated": "2025-09-23T14:12:56.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32143 (GCVE-0-2025-32143)
Vulnerability from nvd – Published: 2025-04-11 08:42 – Updated: 2025-04-11 15:11
VLAI?
Title
WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.3.10
(custom)
|
Credits
LVT-tholv2k (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T15:11:14.312494Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T15:11:39.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThanOrEqual": "2.3.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LVT-tholv2k (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection.\u003c/p\u003e\u003cp\u003eThis issue affects Accordion: from n/a through 2.3.10.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T08:42:51.243Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/accordions/vulnerability/wordpress-accordion-plugin-2-3-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion plugin \u003c= 2.3.10 - PHP Object Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32143",
"datePublished": "2025-04-11T08:42:51.243Z",
"dateReserved": "2025-04-04T10:00:50.063Z",
"dateUpdated": "2025-04-11T15:11:39.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-47342 (GCVE-0-2024-47342)
Vulnerability from nvd – Published: 2024-10-06 10:48 – Updated: 2024-10-07 13:12
VLAI?
Title
WordPress Accordion plugin <= 2.2.99 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Accordion accordions allows Stored XSS.This issue affects Accordion: from n/a through 2.2.99.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
n/a , ≤ 2.2.99
(custom)
|
Credits
Robert DeVore (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47342",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T13:11:58.626671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T13:12:12.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "accordions",
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"changes": [
{
"at": "2.2.100",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.99",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Robert DeVore (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in PickPlugins Accordion accordions allows Stored XSS.\u003cp\u003eThis issue affects Accordion: from n/a through 2.2.99.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in PickPlugins Accordion accordions allows Stored XSS.This issue affects Accordion: from n/a through 2.2.99."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-06T10:48:08.548Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/accordions/wordpress-accordion-plugin-2-2-99-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.2.100 or a higher version."
}
],
"value": "Update to 2.2.100 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accordion plugin \u003c= 2.2.99 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47342",
"datePublished": "2024-10-06T10:48:08.548Z",
"dateReserved": "2024-09-24T13:01:03.948Z",
"dateUpdated": "2024-10-07T13:12:12.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1641 (GCVE-0-2024-1641)
Vulnerability from nvd – Published: 2024-04-09 18:58 – Updated: 2024-08-01 18:48
VLAI?
Summary
The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.
Severity ?
5.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pickplugins | Accordion |
Affected:
* , ≤ 2.2.96
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:40:09.995950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:11.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.807Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e7c70-4d07-4550-9cf8-5135b87b67ca?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/accordions/tags/2.2.96/includes/duplicate-post.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/accordions/tags/2.2.96\u0026old=3050599\u0026new_path=/accordions/tags/2.2.97\u0026new=3050599\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion",
"vendor": "pickplugins",
"versions": [
{
"lessThanOrEqual": "2.2.96",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the \u0027accordions_duplicate_post_as_draft\u0027 function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:58:32.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e7c70-4d07-4550-9cf8-5135b87b67ca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accordions/tags/2.2.96/includes/duplicate-post.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/accordions/tags/2.2.96\u0026old=3050599\u0026new_path=/accordions/tags/2.2.97\u0026new=3050599\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-13T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1641",
"datePublished": "2024-04-09T18:58:32.158Z",
"dateReserved": "2024-02-19T20:15:43.992Z",
"dateUpdated": "2024-08-01T18:48:21.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24283 (GCVE-0-2021-24283)
Vulnerability from nvd – Published: 2021-05-14 11:38 – Updated: 2024-08-03 19:28
VLAI?
Title
Accordion < 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)
Summary
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PickPlugins | Accordion |
Affected:
2.2.30 , < 2.2.30
(custom)
|
Credits
iohex
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.428Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Accordion",
"vendor": "PickPlugins",
"versions": [
{
"lessThan": "2.2.30",
"status": "affected",
"version": "2.2.30",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "iohex"
}
],
"descriptions": [
{
"lang": "en",
"value": "The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T11:38:17",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Accordion \u003c 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24283",
"STATE": "PUBLIC",
"TITLE": "Accordion \u003c 2.2.30 - Authenticated Reflected Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accordion",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.30",
"version_value": "2.2.30"
}
]
}
}
]
},
"vendor_name": "PickPlugins"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "iohex"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24283",
"datePublished": "2021-05-14T11:38:17",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13644 (GCVE-0-2020-13644)
Vulnerability from nvd – Published: 2020-05-28 03:11 – Updated: 2024-08-04 12:25
VLAI?
Summary
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.466Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-28T03:11:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13644",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:L/PR:L/S:C/UI:R",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"name": "https://wordpress.org/plugins/accordions/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/accordions/#developers"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13644",
"datePublished": "2020-05-28T03:11:33",
"dateReserved": "2020-05-27T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2021-24283
Vulnerability from fkie_nvd - Published: 2021-05-14 12:15 - Updated: 2024-11-21 05:52
Severity ?
Summary
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pickplugins | accordion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pickplugins:accordion:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E19DB9AA-3A61-472B-90C8-B775F41B96CF",
"versionEndExcluding": "2.2.30",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue."
},
{
"lang": "es",
"value": "El par\u00e1metro tab GET de la p\u00e1gina de configuraci\u00f3n no se sanea ni se escapa al ser devuelto en un atributo HTML, conllevando a un problema de tipo XSS reflejado"
}
],
"id": "CVE-2021-24283",
"lastModified": "2024-11-21T05:52:45.407",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-14T12:15:08.357",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/6ccd9990-e15f-4800-b499-f7c74b480051"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-13644
Vulnerability from fkie_nvd - Published: 2020-05-28 04:15 - Updated: 2024-11-21 05:01
Severity ?
Summary
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://wordpress.org/plugins/accordions/#developers | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/accordions/#developers | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pickplugins | accordion | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pickplugins:accordion:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0DA677AF-3C00-42E2-BF26-D96A6766E836",
"versionEndExcluding": "2.2.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en el plugin Accordion versiones anteriores a 2.2.9 para WordPress. La acci\u00f3n no protegida de AJAX wp_ajax_accordions_ajax_import_json permiti\u00f3 a cualquier usuario autenticado con permisos Suscriber o superiores la capacidad de importar un nuevo accordion e inyectar JavaScript malicioso como parte del accordion."
}
],
"id": "CVE-2020-13644",
"lastModified": "2024-11-21T05:01:40.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-28T04:15:13.457",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/accordions/#developers"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.wordfence.com/blog/2020/04/vulnerability-patched-in-accordion-plugin/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}