Description
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Published: 2025-10-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the PickPlugins Accordion WordPress plugin. Attackers can exploit incorrect access control settings to gain unauthorized control over the plugin’s administrative functions. This flaw is classified as CWE‑862, which allows unauthorized modification of application state or configuration. Exploitation could let an attacker add, modify, or delete accordion entries and potentially inject arbitrary content into the site, compromising confidentiality and integrity of site data.

Affected Systems

PickPlugins Accordion plugin for WordPress, affecting all releases through version 2.3.14. Any website that has the plugin installed at a version equal to or lower than 2.3.14 is affected. The vulnerability is present in all variations of the plugin’s configuration, regardless of user role, as the access control is broken across the board.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability that can impact the confidentiality or integrity of the host site. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the CVE is not listed in the CISA KEV catalogue. The attack vector is likely remote, via web requests to the plugin’s administrative endpoints; however, the description does not explicitly state the vector, so this assessment is inferred from the nature of WordPress plugins and typical access control weaknesses. An attacker would need either legitimate WordPress administrative credentials or an environment with unrestricted access to the plugin’s admin interface to exploit this flaw.

Generated by OpenCVE AI on April 30, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest PickPlugins Accordion release that includes the fix for the missing authorization issue.
  • If upgrading is not possible immediately, disable or uninstall the plugin to eliminate the vulnerable code path.
  • Apply strict role‑based access controls, ensuring that only authorized administrators can reach the plugin’s management interface, and consider adding network‑level restrictions such as IP blocking or VPN access for admin pages.

Generated by OpenCVE AI on April 30, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 14 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins accordion
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins accordion
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Title WordPress Accordion plugin <= 2.3.14 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Pickplugins Accordion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.592Z

Reserved: 2025-06-30T10:46:02.700Z

Link: CVE-2025-53421

cve-icon Vulnrichment

Updated: 2025-10-23T13:47:38.782Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:49.437

Modified: 2026-04-27T18:16:21.693

Link: CVE-2025-53421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses