Description
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.7. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-04-05
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Patch Immediately
AI Analysis

Impact

The Read More & Accordion plugin contains a missing nonce check in the addNewButtons() function, allowing attackers to forge requests that lead to local file inclusion of arbitrary PHP files. This flaw can be exploited by any site visitor to trick an authenticated administrator into clicking a specially crafted link, which then executes the included file with the admin’s privileges. The result is full remote code execution on the affected WordPress site, compromising confidentiality, integrity, and availability.

Affected Systems

Affected systems are installations of the edmonparker Read More & Accordion WordPress plugin version 3.4.7 or earlier. The vulnerability applies to all WordPress sites running any of those versions of the plugin, as the CSRF mitigation is absent across the entire codebase up through 3.4.7.

Risk and Exploitability

The CVSS v3.1 base score of 7.5 indicates moderate‑to‑high severity. The EPSS score of less than 1% shows that the overall exploitation probability is low, and the vulnerability is not currently listed in CISA's KEV catalog. Nevertheless, the attack surface is a standard web request, meaning that an attacker can launch the exploit from anywhere without additional access. The primary attack vector is forged HTTP requests to the administrative endpoint, and the current exploitation complexity is low due to no prerequisite conditions beyond the CSRF flaw.

Generated by OpenCVE AI on April 21, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Read More & Accordion plugin to version 3.4.8 or later, which contains proper nonce validation and removes the vulnerable code path.
  • If an upgrade is not immediately possible, disable or delete the plugin until a secure version is available to prevent CSRF and LFI exploitation.
  • Verify that all administrators use strong passwords and enable two‑factor authentication to reduce the risk of accidental clicks on malicious links.
  • Deploy a web application firewall rule that blocks unexpected POST requests lacking a valid nonce to the addNewButtons() endpoint, providing a temporary protective measure while awaiting an update.

Generated by OpenCVE AI on April 21, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10019 The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.7. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Read More & Accordion <= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion Read More & Accordion <= 3.4.7 - Cross-Site Request Forgery to Local File Inclusion
References

Mon, 07 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 05 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
Title Read More & Accordion <= 3.4.5 - Cross-Site Request Forgery to Local File Inclusion

Sat, 05 Apr 2025 03:00:00 +0000

Type Values Removed Values Added
Description The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:06.912Z

Reserved: 2025-01-28T15:19:47.042Z

Link: CVE-2025-0810

cve-icon Vulnrichment

Updated: 2025-04-07T13:05:12.259Z

cve-icon NVD

Status : Deferred

Published: 2025-04-05T02:15:15.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:30:45Z

Weaknesses