Description
Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Stored XSS.This issue affects CSS3 Accordions for WordPress: from n/a through <= 3.0.
Published: 2025-05-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability in the CSS3 Accordions for WordPress plugin allows an attacker to cause a logged‑in user to submit a malicious request that stores arbitrary JavaScript in the plugin’s data. The stored script is then served to any visitor of the affected site, enabling client‑side code execution, defacement, or data exfiltration. This weakness is classified as CWE-352.

Affected Systems

The vulnerability affects the CSS3 Accordions for WordPress plugin from QuanticaLabs, versions up to and including 3.0. Any installation of this plugin, regardless of the WordPress theme or other plugins, is potentially compromised if the version has not been updated beyond 3.0.

Risk and Exploitability

The CVSS base score of 7.1 denotes a high severity incident, while the EPSS score of less than 1% indicates a low yet non‑zero likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a victim to be logged in and to visit a malicious URL that triggers the CSRF action, after which the injected script will persist for all future visitors. The impact is primarily client‑side, but attackers could use the stored XSS to steal session cookies or inject phishing content.

Generated by OpenCVE AI on April 30, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CSS3 Accordions for WordPress to the latest available release, which removes the CSRF and stored XSS flaw.
  • If an upgrade is not possible, deactivate or delete the plugin to entirely eliminate the vulnerability.
  • As a temporary protective measure, restrict access to the plugin’s administrative URLs to trusted administrators only and employ a WordPress CSRF protection plugin that enforces Nonce validation on all plugin forms.

Generated by OpenCVE AI on April 30, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15474 Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Stored XSS. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Stored XSS. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0. Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress css3_accordions allows Stored XSS.This issue affects CSS3 Accordions for WordPress: from n/a through <= 3.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Stored XSS. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0.
Title WordPress CSS3 Accordions for WordPress plugin <= 3.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.280Z

Reserved: 2025-04-01T13:21:56.250Z

Link: CVE-2025-31922

cve-icon Vulnrichment

Updated: 2025-05-16T16:41:09.480Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:38.073

Modified: 2026-04-23T15:28:34.053

Link: CVE-2025-31922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses