Description
The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated—unquoted—into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes.
Published: 2026-05-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Read More & Accordion plugin for WordPress permits a time‑based blind SQL injection through the orderby GET parameter. The value is processed only with esc_attr() and is escaped with esc_sql() but inserted directly, without surrounding quotes, into an ORDER BY clause before the query is prepared. This flaw allows an attacker to inject arbitrary SQL expressions such as (SELECT SLEEP(5)), enabling them to probe database contents covertly. An authenticated user with administrator or higher privileges—or any role with plugin‑admin access via yrm-user-roles—can exploit the flaw to extract sensitive data, including administrator password hashes.

Affected Systems

The vulnerability affects all releases of the Read More & Accordion WordPress plugin from edmonparker that are version 3.5.7 or older. Current users with these versions and administrator‑level access should be notified.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity; the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires authenticated access at the administrator level, so its exploitation window is limited to sites where such permissions exist. A successful exploit can lead to data exfiltration, credential theft, and potential further compromise if attackers pivot within the database.

Generated by OpenCVE AI on May 20, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Read More & Accordion plugin to a version newer than 3.5.7, which contains the fixed SQL query handling.
  • Limit the roles that can access the plugin’s administrative interfaces; exclude non‑administrator accounts from yrm‑user‑roles.
  • Implement input validation on the orderby parameter, ensuring it contains only known column names and is quoted appropriately before use in any SQL statement.
  • Monitor database logs for anomalous ORDER BY usage, particularly for time‑based queries or unexpected subqueries.

Generated by OpenCVE AI on May 20, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Edmonsoft
Edmonsoft read More & Accordion
Wordpress
Wordpress wordpress
Vendors & Products Edmonsoft
Edmonsoft read More & Accordion
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated—unquoted—into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes.
Title Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Edmonsoft Read More & Accordion
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T17:16:36.961Z

Reserved: 2026-04-29T19:56:27.425Z

Link: CVE-2026-7472

cve-icon Vulnrichment

Updated: 2026-05-20T17:16:34.013Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:39.547

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-7472

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses