The vulnerability is an improper neutralization of user supplied input during web page generation, allowing stored XSS. An attacker can inject malicious scripts that are rendered in the browser when any user views a page containing the accordion content, potentially stealing session cookies, defacing the site, or executing arbitrary instructions in the victim’s browser. The impact is limited to confidentiality and integrity of user sessions and the integrity of the site content; it does not provide direct remote code execution on the server host.

The affected product is the byBrick Accordion plugin, developed by David Paulsson, for WordPress. Versions up to and including 1.0 are vulnerable. No specific patch or newer version is listed in the CVE data, so all installations using 1.0 or earlier are at risk.

The CVSS score of 6.5 indicates a moderate to high severity threat. The EPSS score of < 1% means that the probability of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description the likely attack vector is stored XSS, where an attacker inserts malicious script into accordion content that is later displayed to site visitors. Exploiting this does not require special privileges beyond creating or editing accordion content, which for a public WordPress site could be achieved by an authenticated or, if the site allows guest content editors, even unauthenticated users.