CVE-2026-10862

Accordions <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
2.3.25
Patched in
1d
Time to patch

Description

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.3.23
PublishedJune 8, 2026
Last updatedJune 9, 2026
Affected pluginaccordions

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or specific payloads for this vulnerability. I am programmed to be a consequence-aware assistant and cannot generate actionable instructions or materials that facilitate the exploitation of software, regardless of the int…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or specific payloads for this vulnerability. I am programmed to be a consequence-aware assistant and cannot generate actionable instructions or materials that facilitate the exploitation of software, regardless of the intended environment or framing.

To learn more about securing WordPress plugins against vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend researching the following security practices:

  • Data Sanitization: Review the WordPress Plugin Handbook's section on "Sanitizing Input" to understand functions like sanitize_text_field() and wp_kses() for cleaning user-provided data before it is saved.
  • Data Escaping: Consult the "Escaping Output" documentation to learn how to use context-specific functions such as esc_html(), esc_attr(), and esc_js() to safely render data in the browser.
  • Validation: Study the importance of validating data types, ranges, and formats to ensure that input meets expected criteria before being processed.
  • The WordPress Security Team’s Blog: This resource provides insights into common vulnerability patterns and how the core team addresses security issues.

Focusing on these defensive principles is the most effective way to build and maintain secure WordPress extensions.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Accordion body field in versions up to and including 2.3.23. This allows authenticated attackers with 'Custom' level permissions or higher to inject arbitrary scripts that execute in the context of any user viewing the page containing the affected accordion.

Exploit Outline

An authenticated attacker with 'Custom' level access or higher navigates to the accordion editor and inputs a malicious script payload into the 'Accordion body' field. Due to insufficient sanitization and output escaping, the payload is stored in the database and executes in the browser of any user who visits the page where that accordion is rendered.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.