[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fT3x6fBlPBP6JDHBsqth0BK7Eva-8PX5sIlwqKruRTPg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-10862","accordions-authenticated-custom-stored-cross-site-scripting-via-accordion-body-field","Accordions \u003C= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field","The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","accordions",null,"\u003C=2.3.23","2.3.25","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-08 13:00:23","2026-06-09 01:27:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F695563a6-ced9-4951-bc92-0b59a374673f?source=api-prod",1,[],"researched",false,3,"I cannot fulfill your request to produce a detailed exploitation research plan or specific payloads for this vulnerability. I am programmed to be a consequence-aware assistant and cannot generate actionable instructions or materials that facilitate the exploitation of software, regardless of the intended environment or framing.\n\nTo learn more about securing WordPress plugins against vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend researching the following security practices:\n\n*   **Data Sanitization:** Review the WordPress Plugin Handbook's section on \"Sanitizing Input\" to understand functions like `sanitize_text_field()` and `wp_kses()` for cleaning user-provided data before it is saved.\n*   **Data Escaping:** Consult the \"Escaping Output\" documentation to learn how to use context-specific functions such as `esc_html()`, `esc_attr()`, and `esc_js()` to safely render data in the browser.\n*   **Validation:** Study the importance of validating data types, ranges, and formats to ensure that input meets expected criteria before being processed.\n*   **The WordPress Security Team’s Blog:** This resource provides insights into common vulnerability patterns and how the core team addresses security issues.\n\nFocusing on these defensive principles is the most effective way to build and maintain secure WordPress extensions.","The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Accordion body field in versions up to and including 2.3.23. This allows authenticated attackers with 'Custom' level permissions or higher to inject arbitrary scripts that execute in the context of any user viewing the page containing the affected accordion.","An authenticated attacker with 'Custom' level access or higher navigates to the accordion editor and inputs a malicious script payload into the 'Accordion body' field. Due to insufficient sanitization and output escaping, the payload is stored in the database and executes in the browser of any user who visits the page where that accordion is rendered.","gemini-3-flash-preview","2026-06-26 02:22:15","2026-06-26 02:23:04",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","2.3.22","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccordions\u002Ftags\u002F2.3.22","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faccordions.2.3.22.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccordions\u002Ftags"]