Description
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.15.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a missing authorization check in the PickPlugins Accordion plugin, allowing an attacker to exploit incorrectly configured access control security levels. This broken access control can enable unauthorized users to modify plugin settings, content, or potentially other site data managed through the plugin. The weakness is classified as CWE‑862, indicating that proper user authentication and authorization checks are not enforced.

Affected Systems

The vulnerability affects the PickPlugins Accordion plugin for WordPress, impacting all installations of versions from the earliest available release up through version 2.3.15. No additional version specifics are provided in the source data, so any deployment of the plugin falling within this range is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and the very low EPSS (< 1%) suggests that exploitation is unlikely at present. The plugin’s functionality is web‑based, so the attack vector is inferred to be remote via the WordPress front‑end or administrative interface. An attacker would need to access the plugin’s configuration pages without proper permission checks; the effect is limited to the scope of the plugin, but could compromise site integrity if the plugin is used to render content.

Generated by OpenCVE AI on April 30, 2026 at 06:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Accordion plugin to a version newer than 2.3.15 to apply the vendor‑issued fix.
  • If an upgrade is not immediately possible, remove or disable the plugin’s administrative pages or the plugin entirely to prevent unauthenticated access.
  • Configure WordPress role settings or use a capability‑restricting plugin to ensure that only users with administrator privileges can reach the Accordion settings.

Generated by OpenCVE AI on April 30, 2026 at 06:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30521 Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14. Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.15.
Title WordPress Accordion Plugin <= 2.3.14 - Broken Access Control Vulnerability WordPress Accordion Plugin <= 2.3.15 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins accordion
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins accordion
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in PickPlugins Accordion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accordion: from n/a through 2.3.14.
Title WordPress Accordion Plugin <= 2.3.14 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Pickplugins Accordion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:46.323Z

Reserved: 2025-09-03T09:03:46.831Z

Link: CVE-2025-58678

cve-icon Vulnrichment

Updated: 2025-09-23T13:59:19.047Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:19.140

Modified: 2026-04-23T15:33:34.787

Link: CVE-2025-58678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:00:13Z

Weaknesses