The vulnerability arises when the ‘title’ attribute of the accordion shortcode accepts unsanitized input, allowing a contributor or higher level user to place arbitrary JavaScript that is saved into the post content. When a victim later views the page the injected script runs in the victim’s browser, giving an attacker the ability to deface the site, steal session cookies, or perform other client‑side attacks. The weakness is a classic reflected input‑validation flaw identified as CWE‑79, and it affects the confidentiality and integrity of the web content by enabling unauthorized script execution.

The Simple Wp colorfull Accordion plugin provided by vendor nayon46 is affected in all released versions up to and including 1.0. No specific patch version is listed, but the issue does not exist in releases above 1.0 if they have been released.

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% shows that only a small fraction of potential targets may exploit the flaw. The vulnerability is not catalogued in the CISA KEV list yet. Exploitation requires the attacker to have Contributor‑level or higher WordPress access, after which they can pre‑populate the ‘title’ field in an accordion shortcode. Once populated, the code is stored and executed on any subsequent page view by any user, making the attack effective only after the initial injection and any further users visiting the infected page.