Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS.

This issue affects Accordion FAQ: from n/a through 2.2.1.
Published: 2026-06-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Accordion FAQ plugin for WordPress suffers from a reflected Cross‑Site Scripting (XSS) flaw caused by improper neutralization of user input during web page generation; this is a CWE‑79 weakness that allows an attacker to inject arbitrary client‑side script into the page viewed by an affected user, potentially enabling cookie theft, session hijacking, malicious redirects, and defacement of the site.

Affected Systems

The vulnerable product is the UnboundStudio Accordion FAQ WordPress plugin, with all versions up through 2.2.1 considered affected.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is assessed as high severity; the EPSS score is not available and the issue is not listed in the CISA KEV catalog, indicating no publicly documented mass exploitation to date. Attackers can exploit the flaw remotely by delivering a crafted URL or form input that triggers the reflected XSS, thereby executing malicious JavaScript in the victim’s browser context.

Generated by OpenCVE AI on June 2, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UnboundStudio Accordion FAQ to the latest version released after 2.2.1 to apply the vendor’s fix.
  • If an upgrade is not feasible, consider removing the plugin or replacing it with a different FAQ solution that properly sanitizes input.
  • Deploy a Content Security Policy that blocks inline scripts and unsafe-eval, and enable Web Application Firewall rules to filter suspicious payloads to reduce the impact of the XSS flaw while remediation is pending.

Generated by OpenCVE AI on June 2, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS. This issue affects Accordion FAQ: from n/a through 2.2.1.
Title WordPress Accordion FAQ plugin <= 2.2.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T10:43:37.457Z

Reserved: 2025-06-19T10:03:02.782Z

Link: CVE-2025-52759

cve-icon Vulnrichment

Updated: 2026-06-02T10:43:32.456Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T10:16:19.473

Modified: 2026-06-02T13:03:31.153

Link: CVE-2025-52759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T11:30:07Z

Weaknesses