Refine your search
2 vulnerabilities found for Accordion and Accordion Slider by essentialplugin
CVE-2026-6443 (GCVE-0-2026-6443)
Vulnerability from cvelistv5
Published
2026-04-17 06:44
Modified
2026-04-21 19:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-506 - Embedded Malicious Code
Summary
All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T18:49:32.019393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T18:49:42.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.4.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Portfolio and Projects",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Featured Post Creative",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.5.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post grid and filter ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.4"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Featured Content and Slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Post Ticker Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.7.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Trending/Popular Post Slider and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "1.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Meta Slider and Carousel with Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.0.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Album and Image Gallery Plus Lightbox",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.1.8"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Timeline and History slider",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.4.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Blog and Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Countdown Timer Ultimate",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.6.9"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Blog Designer \u2013 Post and Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.7.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Team Slider and Team Grid Showcase plus Team Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Video gallery and Player",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Popup Maker and Popup Anything \u2013 Popup for opt-ins and Lead Generation Conversions",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "2.9.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Testimonial Grid and Testimonial Slider plus Carousel with Rotator Widget",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.5.6"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Responsive Recent Post Slider/Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Slick Slider and Image Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.7.8.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Logo Showcase Responsive Slider and Carousel",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.8.7"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP responsive FAQ with category plugin",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "3.9.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP News and Scrolling Widgets",
"vendor": "essentialplugin",
"versions": [
{
"status": "affected",
"version": "5.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Eu Joe Chegne"
},
{
"lang": "en",
"type": "finder",
"value": "Damien"
}
],
"descriptions": [
{
"lang": "en",
"value": "All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin\u0027s they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-506",
"description": "CWE-506 Embedded Malicious Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:53:07.705Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"
},
{
"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T18:38:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Essentialplugin Plugins (Various Versions) - Injected Backdoor"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6443",
"datePublished": "2026-04-17T06:44:49.128Z",
"dateReserved": "2026-04-16T18:22:16.366Z",
"dateUpdated": "2026-04-21T19:53:07.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0727 (GCVE-0-2026-0727)
Vulnerability from cvelistv5
Published
2026-02-14 06:42
Modified
2026-04-08 16:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| essentialplugin | Accordion and Accordion Slider |
Version: 0 ≤ 1.4.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:14:31.152757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:14:39.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \u0027wp_aas_save_attachment_data\u0027 and \u0027wp_aas_get_attachment_edit_form\u0027 functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:39:42.849Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-27T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T18:23:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T18:20:34.000Z",
"value": "Disclosed"
}
],
"title": "Accordion and Accordion Slider \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0727",
"datePublished": "2026-02-14T06:42:26.388Z",
"dateReserved": "2026-01-08T14:53:42.062Z",
"dateUpdated": "2026-04-08T16:39:42.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}