Search criteria
2 vulnerabilities found for Accordion and Accordion Slider by essentialplugin
CVE-2026-0727 (GCVE-0-2026-0727)
Vulnerability from nvd – Published: 2026-02-14 06:42 – Updated: 2026-02-18 20:14
VLAI?
Title
Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification
Summary
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| essentialplugin | Accordion and Accordion Slider |
Affected:
* , ≤ 1.4.5
(semver)
|
Credits
Kazuma Matsumoto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:14:31.152757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:14:39.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \u0027wp_aas_save_attachment_data\u0027 and \u0027wp_aas_get_attachment_edit_form\u0027 functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T06:42:26.388Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-27T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T18:23:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T18:20:34.000Z",
"value": "Disclosed"
}
],
"title": "Accordion and Accordion Slider \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0727",
"datePublished": "2026-02-14T06:42:26.388Z",
"dateReserved": "2026-01-08T14:53:42.062Z",
"dateUpdated": "2026-02-18T20:14:39.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0727 (GCVE-0-2026-0727)
Vulnerability from cvelistv5 – Published: 2026-02-14 06:42 – Updated: 2026-02-18 20:14
VLAI?
Title
Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification
Summary
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| essentialplugin | Accordion and Accordion Slider |
Affected:
* , ≤ 1.4.5
(semver)
|
Credits
Kazuma Matsumoto
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T20:14:31.152757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T20:14:39.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Accordion and Accordion Slider",
"vendor": "essentialplugin",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \u0027wp_aas_save_attachment_data\u0027 and \u0027wp_aas_get_attachment_edit_form\u0027 functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-14T06:42:26.388Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-27T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T18:23:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-13T18:20:34.000Z",
"value": "Disclosed"
}
],
"title": "Accordion and Accordion Slider \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0727",
"datePublished": "2026-02-14T06:42:26.388Z",
"dateReserved": "2026-01-08T14:53:42.062Z",
"dateUpdated": "2026-02-18T20:14:39.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}