[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqQ_JPHs18A_VL-USfmICcGMMwbs3epJL7e2Efgp1c2k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-6443","accordion-and-accordion-slider-injected-backdoor","Essentialplugin Plugins (Various Versions) - Injected Backdoor","All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.","wp-responsive-recent-post-slider",null,">=3.7.1 \u003C=3.7.1","3.7.1.1","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Embedded Malicious Code","2026-04-09 00:00:00","2026-04-21 15:30:55",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2597724a-9a39-4e46-b153-f42366f833ba?source=api-prod",13,[],"researched",false,3,"This research plan outlines the steps for identifying and exploiting the injected backdoor in the **Accordion and Accordion Slider** plugin (version 1.4.6).\n\n## 1. Vulnerability Summary\nThe vulnerability is a deliberate **Embedded Malicious Code (Backdoor)** injected into version 1.4.6 of the plugin. This occurred after the plugin was acquired by a threat actor. The backdoor typically allows unauthenticated remote code execution (RCE), persistent access, or spam injection. Unlike traditional vulnerabilities (like SQLi or XSS), this is a hidden feature designed to bypass all WordPress security controls, including nonces and capability checks.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Usually the site root (`\u002F`) or any file that loads the plugin (e.g., `wp-admin\u002Fadmin-ajax.php` or `index.php`).\n- **Trigger Parameter:** Inferred to be a specific `$_GET`, `$_POST`, or `$_REQUEST` parameter (e.g., `wp_check`, `accord_api`, `slider_data`) often combined with a password or specific User-Agent.\n- **Authentication:** Unauthenticated (PR:N).\n- **Preconditions:** The plugin \"Accordion and Accordion Slider\" version 1.4.6 must be active.\n\n## 3. Code Flow (Inferred)\nBased on similar backdoors injected into acquired WordPress plugins, the flow follows this pattern:\n1. **Entry Point:** The plugin's main entry file (likely `accordion-slider.php` or `includes\u002Fclass-accordion-slider.php`) contains an obfuscated block of code.\n2. **Hook:** The code is often hooked to `init`, `plugins_loaded`, or simply sits at the top of a PHP file to execute as soon as the plugin is loaded.\n3. **Execution Sink:**\n   - The code checks for a specific \"activation\" parameter in the superglobals.\n   - It decodes a payload (often using `base64_decode`, `str_rot13`, or XOR).\n   - It passes the payload to a sink like `eval()`, `assert()`, `create_function()`, or `include()`.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nBackdoors are intentionally designed to bypass WordPress security mechanisms. If the backdoor is correctly identified, it will execute without requiring a valid WP nonce or session cookie.\n\n## 5. Exploitation Strategy\n\n### Step 1: Backdoor Discovery\nThe agent must first locate the backdoor code within the plugin directory.\n```bash\n# Search for common backdoor patterns\ngrep -rP \"(eval|assert|passthru|system|shell_exec|base64_decode|gzinflate|str_rot13|include\\('php:\\\u002F\\\u002Finput'\\))\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Faccordion-and-accordion-slider\u002F\n```\n\n### Step 2: Identification of Trigger\nOnce a suspicious code block is found (e.g., `if(isset($_REQUEST['some_param'])) { eval(...); }`), identify:\n1. The **parameter name** (e.g., `accord_cmd`).\n2. The **encoding method** (e.g., `base64_decode`).\n3. Any **access key\u002Fpassword** required by the backdoor logic.\n\n### Step 3: Crafting the Payload\nAssuming the backdoor uses `eval(base64_decode($_POST['cmd']))`, the payload will be a base64-encoded PHP command to create a new administrator.\n\n**Payload (PHP):**\n```php\n$user_id = wp_insert_user([\n    'user_login' => 'backdoor_admin',\n    'user_pass'  => 'PwnedPassword123!',\n    'role'       => 'administrator',\n    'user_email' => 'attacker@example.com'\n]);\n```\n\n### Step 4: Execution\nUsing the `http_request` tool, send the payload to the site root.\n\n**Request Template (Inferred):**\n- **Method:** `POST`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002F`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:** `[TRIGGER_PARAM]=[BASE64_ENCODED_PHP_PAYLOAD]` (Replace `[TRIGGER_PARAM]` with the key found in Step 2).\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `accordion-and-accordion-slider` version 1.4.6 is installed and activated.\n2. **Standard Environment:** No special posts or shortcodes are required for the backdoor to function, as it typically hooks into global initialization.\n\n## 7. Expected Results\n- **Response:** The HTTP response might be a `200 OK` with an empty body or a specific \"success\" string defined by the attacker (e.g., `ok`).\n- **Effect:** A new user with the `administrator` role should be created in the database.\n\n## 8. Verification Steps\nAfter the `http_request`, verify the exploit success using WP-CLI:\n```bash\n# Check if the backdoor user was created\nwp user list --field=user_login | grep \"backdoor_admin\"\n\n# Verify the role of the new user\nwp user get backdoor_admin --field=roles\n```\n\n## 9. Alternative Approaches\nIf no direct `eval` is found, look for:\n- **Spam Injectors:** Check for code that modifies the `the_content` filter to inject links from a remote URL (`wp_remote_get`).\n- **Option Modifiers:** Check for code that allows updating `siteurl` or `users_can_register` via `update_option()`.\n- **File Uploads:** Look for code handling `$_FILES` without using `wp_handle_upload` or checking file extensions.\n\n**Specific Filenames to Audit (Inferred):**\n- `accordion-slider.php`\n- `includes\u002Faccordion-slider-functions.php`\n- `includes\u002Fadmin\u002Fclass-accordion-slider-admin.php`","The Accordion and Accordion Slider plugin for WordPress (version 1.4.6) contains an injected backdoor introduced after a malicious actor acquired the plugin. This vulnerability allows unauthenticated attackers to execute arbitrary code or inject spam, bypassing standard security measures to maintain persistent access to the site.","The exploit targets the plugin's initialization phase where the backdoor logic is hooked (e.g., to 'init' or 'plugins_loaded'). An unauthenticated attacker sends a specially crafted HTTP request (GET or POST) containing a specific trigger parameter. This parameter carries a malicious PHP payload, often obfuscated or encoded (e.g., Base64), which the backdoor then executes using functions like eval(). This allows for full site takeover, such as creating a new administrator account, without requiring valid credentials or nonces.","gemini-3-flash-preview","2026-04-20 20:34:50","2026-04-20 20:35:10",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-responsive-recent-post-slider\u002Ftags"]