Search criteria
4 vulnerabilities found for Read More & Accordion by edmonparker
CVE-2025-0810 (GCVE-0-2025-0810)
Vulnerability from cvelistv5 – Published: 2025-04-05 01:44 – Updated: 2025-04-07 14:12
VLAI?
Title
Read More & Accordion <= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion
Summary
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
7.5 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| edmonparker | Read More & Accordion |
Affected:
* , ≤ 3.4.5
(semver)
|
Credits
Bassem Essam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T13:05:10.861244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T14:12:32.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Read More \u0026 Accordion",
"vendor": "edmonparker",
"versions": [
{
"lessThanOrEqual": "3.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Read More \u0026 Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-05T01:44:44.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a963cd9b-9f8f-4bd2-92cd-74c5e85e1d96?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMorePages.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMorePages.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreInit.php#L122"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-04T13:09:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Read More \u0026 Accordion \u003c= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-0810",
"datePublished": "2025-04-05T01:44:44.158Z",
"dateReserved": "2025-01-28T15:19:47.042Z",
"dateUpdated": "2025-04-07T14:12:32.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13639 (GCVE-0-2024-13639)
Vulnerability from cvelistv5 – Published: 2025-02-13 08:21 – Updated: 2025-02-13 14:37
VLAI?
Title
Read More & Accordion <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion
Summary
The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| edmonparker | Read More & Accordion |
Affected:
* , ≤ 3.4.2
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T14:37:05.418825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T14:37:16.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Read More \u0026 Accordion",
"vendor": "edmonparker",
"versions": [
{
"lessThanOrEqual": "3.4.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Read More \u0026 Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary \u0027read more\u0027 posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T08:21:24.056Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65849267-8bb5-48fd-b95e-e89a1e744fe0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/files/ReadMoreAdminPost.php#L98"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/files/ReadMoreAdminPost.php#L9"
},
{
"url": "https://wordpress.org/plugins/expand-maker/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3239533/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-12T19:43:15.000+00:00",
"value": "Disclosed"
}
],
"title": "Read More \u0026 Accordion \u003c= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary \u0027Read More\u0027 Post Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13639",
"datePublished": "2025-02-13T08:21:24.056Z",
"dateReserved": "2025-01-22T22:48:16.432Z",
"dateUpdated": "2025-02-13T14:37:16.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0810 (GCVE-0-2025-0810)
Vulnerability from nvd – Published: 2025-04-05 01:44 – Updated: 2025-04-07 14:12
VLAI?
Title
Read More & Accordion <= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion
Summary
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
7.5 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| edmonparker | Read More & Accordion |
Affected:
* , ≤ 3.4.5
(semver)
|
Credits
Bassem Essam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T13:05:10.861244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T14:12:32.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Read More \u0026 Accordion",
"vendor": "edmonparker",
"versions": [
{
"lessThanOrEqual": "3.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bassem Essam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Read More \u0026 Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-05T01:44:44.158Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a963cd9b-9f8f-4bd2-92cd-74c5e85e1d96?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMorePages.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMorePages.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreInit.php#L122"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-04-04T13:09:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Read More \u0026 Accordion \u003c= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-0810",
"datePublished": "2025-04-05T01:44:44.158Z",
"dateReserved": "2025-01-28T15:19:47.042Z",
"dateUpdated": "2025-04-07T14:12:32.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13639 (GCVE-0-2024-13639)
Vulnerability from nvd – Published: 2025-02-13 08:21 – Updated: 2025-02-13 14:37
VLAI?
Title
Read More & Accordion <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary 'Read More' Post Deletion
Summary
The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| edmonparker | Read More & Accordion |
Affected:
* , ≤ 3.4.2
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T14:37:05.418825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T14:37:16.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Read More \u0026 Accordion",
"vendor": "edmonparker",
"versions": [
{
"lessThanOrEqual": "3.4.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Read More \u0026 Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary \u0027read more\u0027 posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T08:21:24.056Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65849267-8bb5-48fd-b95e-e89a1e744fe0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/files/ReadMoreAdminPost.php#L98"
},
{
"url": "https://plugins.trac.wordpress.org/browser/expand-maker/trunk/files/ReadMoreAdminPost.php#L9"
},
{
"url": "https://wordpress.org/plugins/expand-maker/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3239533/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-12T19:43:15.000+00:00",
"value": "Disclosed"
}
],
"title": "Read More \u0026 Accordion \u003c= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary \u0027Read More\u0027 Post Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13639",
"datePublished": "2025-02-13T08:21:24.056Z",
"dateReserved": "2025-01-22T22:48:16.432Z",
"dateUpdated": "2025-02-13T14:37:16.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}