The B Accordion plugin for WordPress contains a flaw that permits the insertion of sensitive information into data that is subsequently sent to users. This bug enables an attacker to retrieve embedded sensitive data, thereby violating the confidentiality of confidential information. The weakness is classified as CWE-201, indicating that data intended to remain private is inadvertently exposed during transmission or output.

Vulnerable systems are WordPress sites that have installed the B Accordion plugin in any version up to and including 2.0.2. The plugin is distributed by bPlugins and is used to create accordion‑style content on WordPress pages or posts. Sites that have not applied an upgrade past 2.0.2 are susceptible to data leakage through the plugin’s rendering process.

With a CVSS score of 6.5 the vulnerability carries moderate severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is via the plugin’s interface, which may be accessed by authenticated users with editing privileges; however, the description does not disclose a public exploitation path, so any exploitation probably requires some level of authentication or existing access to the plugin’s settings. The absence of imminent, publicly available exploits implies that the primary mitigation focus is remediation rather than immediate defensive measures.