Description
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion accordions allows Object Injection.This issue affects Accordion: from n/a through <= 2.3.11.
Published: 2025-04-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the PickPlugins Accordion plugin allows arbitrary PHP object injection, which can be leveraged by an attacker to execute arbitrary code on the host web server. An exploit that successfully injects a crafted object would break the integrity of the application, potentially giving full control over the affected WordPress site.

Affected Systems

The vulnerability affects the PickPlugins Accordion plugin for WordPress, versions up through 2.3.11 inclusive. Any site running that or earlier releases of the plugin is susceptible.

Risk and Exploitability

The CVSS v3.1 score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an HTTP request containing a serialized object that the plugin deserializes, so an attacker can remotely supply the payload without needing prior access to the site.

Generated by OpenCVE AI on April 30, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PickPlugins Accordion plugin to version 2.3.12 or later to eliminate the deserialization flaw.
  • If an updated version is not yet available, permanently disable the Accordion plugin until a patch can be applied.
  • Review and restrict the plugin’s configuration to remove any custom code that could be injected through its parameters, and monitor incoming requests for suspicious serialized objects.

Generated by OpenCVE AI on April 30, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10780 Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10. Deserialization of Untrusted Data vulnerability in PickPlugins Accordion accordions allows Object Injection.This issue affects Accordion: from n/a through <= 2.3.11.
Title WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability WordPress Accordion plugin <= 2.3.11 - PHP Object Injection vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10.
Title WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pickplugins Accordion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.047Z

Reserved: 2025-04-04T10:00:50.063Z

Link: CVE-2025-32143

cve-icon Vulnrichment

Updated: 2025-04-11T15:11:24.517Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:22.453

Modified: 2026-04-23T15:28:38.257

Link: CVE-2025-32143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:15:05Z

Weaknesses