CVE-2026-6443 - Vulnerability Details

- Accordion and Accordion Slider 1.4.6 - Injected Backdoor

Description

The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

Published: 2026-04-17

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Accordion and Accordion Slider plugin for WordPress is vulnerable because version 1.4.6 contains an injected backdoor that was embedded by a malicious third‑party during the plugin’s sale, reflecting a CWE‑506 vulnerability that introduces code with elevated privileges. The backdoor allows an attacker to maintain persistent access to the affected sites and inject spam or perform other malicious actions. Based on the description, it is inferred that this presents a high‑level risk of unauthorized code execution, data compromise, and broader site compromise.

Affected Systems

The vulnerability affects the WordPress plugin Accordion and Accordion Slider, version 1.4.6, sold by essentialplugin. Any WordPress site installing this exact version is directly impacted. No other versions or products are listed as affected.

Risk and Exploitability

With a CVSS score of 9.8, this issue is considered critical. The EPSS score is not available, but the backdoor appears to have already been deployed in many sites, suggesting a significant exploitation risk. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is straightforward: sites that deploy the compromised plugin are immediately compromised, providing an attacker with a full backdoor and spam capabilities.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

essentialplugin

Accordion and Accordion Slider

unaffected

Version	Status	Constraints
`1.4.6`	affected	—

No data.

Vendor Product Confidence Versions

Essentialplugin

Accordion And Accordion Slider

100%

Version	Status	Scheme	Platform
`1.4.6`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Uninstall the vulnerable Accordion and Accordion Slider plugin, then reinstall a clean version from the official WordPress plugin repository.
Scan all site files, especially the plugin directory, for injected or hard‑coded credentials and remove any malicious code found.
Review site users and permissions for any unauthorized accounts that may have been added by the backdoor, removing them and resetting passwords as needed.

Generated by OpenCVE AI on April 17, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve

History

Fri, 17 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 17 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Essentialplugin Essentialplugin accordion And Accordion Slider Wordpress Wordpress wordpress
Vendors & Products		Essentialplugin Essentialplugin accordion And Accordion Slider Wordpress Wordpress wordpress

Fri, 17 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.
Title		Accordion and Accordion Slider 1.4.6 - Injected Backdoor
Weaknesses		CWE-506
References		https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/ https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Essentialplugin Accordion And Accordion Slider

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-17T06:44:49.128Z

Updated: 2026-04-17T18:49:42.999Z

Reserved: 2026-04-16T18:22:16.366Z

Link: CVE-2026-6443

Vulnrichment

Updated: 2026-04-17T18:49:38.790Z

NVD

Status : Received

Published: 2026-04-17T07:16:03.160

Modified: 2026-04-17T07:16:03.160

Link: CVE-2026-6443

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses

CWE-506

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object