B Accordion <= 2.0.2 - Authenticated (Contributor+) Information Exposure
Description
The Accordion – Add Horizontal / Vertical Accordion in WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=2.0.2Source Code
WordPress.org SVNThis research plan outlines the strategy for investigating and exploiting **CVE-2026-24565** in the "B Accordion" WordPress plugin. ## 1. Vulnerability Summary The **B Accordion** plugin (versions <= 2.0.2) contains an **Information Exposure** vulnerability. Authenticated users with at least **Cont…
Show full research plan
This research plan outlines the strategy for investigating and exploiting CVE-2026-24565 in the "B Accordion" WordPress plugin.
1. Vulnerability Summary
The B Accordion plugin (versions <= 2.0.2) contains an Information Exposure vulnerability. Authenticated users with at least Contributor-level permissions can access sensitive information, likely because an AJAX handler or REST API endpoint intended for administrative use fails to perform adequate capability checks (e.g., current_user_can('manage_options')) or returns overly verbose data objects (like full User objects or Site Settings).
2. Attack Vector Analysis
- Endpoint: Likely a WordPress AJAX action (
/wp-admin/admin-ajax.php) or a custom REST API route (/wp-json/...). - Action Name (Inferred): Look for strings like
b_accordion_,get_users,fetch_config, oraccordion_search. - Authentication: Requires a Contributor-level account. This is significant because Contributors can access the post editor where Gutenberg blocks are rendered.
- Payload: An HTTP request (GET or POST) to the vulnerable endpoint, potentially with parameters to query specific data (e.g.,
user_id,query, orsetting). - Precondition: The attacker must be logged in as a Contributor.
3. Code Flow
- Entry Point: The plugin registers a hook using
add_action( 'wp_ajax_...', ... )orregister_rest_route( 'b-accordion/v1', ... ). - Capability Check (Missing/Weak): The callback function likely lacks a check like
if ( ! current_user_can( 'manage_options' ) ). It might only checkis_user_logged_in(), which is true for Contributors. - Data Retrieval: The code executes a query such as
get_users(),get_userdata(), orget_option(). - Information Exposure: The resulting data (which may include emails, user metadata, or system paths) is returned via
wp_send_json_success().
4. Nonce Acquisition Strategy
Since this is a Contributor+ vulnerability, the attacker has access to the WordPress admin dashboard (specifically the post editor).
- Identify the Script/Variable: Examine the source code for
wp_localize_script. Look for a variable related tob-accordion. - Setup: Create a post as a Contributor and include the B Accordion block.
- Extraction:
- Navigate to the post editor:
/wp-admin/post-new.php. - Use
browser_evalto extract the nonce and the REST base URL. - Likely JS Variable:
window.b_accordion_dataorwindow.wpApiSettings. - Command:
browser_eval("window.wpApiSettings.nonce")(for REST) orbrowser_eval("b_accordion_obj.nonce")(for AJAX).
- Navigate to the post editor:
5. Exploitation Strategy
Step 1: Discovery
Locate the vulnerable endpoint. Use grep on the plugin directory:
grep -rnE "wp_ajax_|register_rest_route" /var/www/html/wp-content/plugins/b-accordion/
Search for sensitive functions in the results:
grep -rnE "get_users|get_userdata|get_option|wp_user_query" /var/www/html/wp-content/plugins/b-accordion/
Step 2: Request Construction
Once the action/route is found, craft the request using http_request.
Example (AJAX Hypothesis):
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method: POST
- Body:
action=[ACTION_NAME]&_ajax_nonce=[NONCE]&user_id=1 - Headers: Include
Cookiefrom the Contributor session.
Example (REST Hypothesis):
- URL:
http://localhost:8080/wp-json/b-accordion/v1/[ENDPOINT] - Method: GET
- Headers:
X-WP-Nonce: [NONCE]
Step 3: Payload
If the vulnerability allows querying users, try to dump the administrator (ID 1) details:action=b_accordion_get_user_details&user_id=1
6. Test Data Setup
- Users: Ensure an Administrator exists (User ID 1) with sensitive metadata (e.g., a phone number or private email).
- Attacker Account: Create a user with the Contributor role.
wp user create attacker attacker@example.com --role=contributor --user_pass=password123 - Plugin Setup: Activate
b-accordion.
7. Expected Results
- Successful Exploitation: The response body contains JSON data containing sensitive fields such as
user_email,user_login,display_name, or potentiallymeta_valueentries from thewp_usermetatable. - Proof of Concept: A JSON response showing the Administrator's email address when requested by the Contributor.
8. Verification Steps
- Verify the data returned matches the database:
wp user get 1 --fields=user_email,user_login - Confirm that an unauthenticated user (no cookies) cannot access the same endpoint (should return 401 or 403).
9. Alternative Approaches
- Parameter Brute Forcing: If the endpoint takes an ID, iterate from 1-10 to see if different user data is leaked.
- Search Parameters: If the endpoint is a search function, use
%or*to see if it returns a list of all users. - Site Configuration: Check if the plugin leaks
get_optiondata. Look for endpoints that might return site settings which could contain API keys for other services.
Summary
The B Accordion plugin for WordPress is vulnerable to Information Exposure in versions up to 2.0.2 due to insufficient capability checks on data-retrieval endpoints. This allows authenticated attackers with Contributor-level permissions or higher to access sensitive information, such as user details or site configurations, that should be restricted to administrators.
Exploit Outline
An attacker with Contributor-level access can exploit this vulnerability by first logging into the WordPress admin dashboard and accessing the post editor to create or edit a post containing a B Accordion block. From the editor page, the attacker can extract required security nonces and endpoint details from localized JavaScript objects (such as 'wpApiSettings' for REST routes or plugin-specific objects like 'b_accordion_obj'). By crafting an HTTP request to the vulnerable endpoint (e.g., an AJAX action at admin-ajax.php or a REST route under /wp-json/b-accordion/v1/) with the captured nonce, the attacker can trigger functions like get_users() or get_option() and receive a JSON response containing sensitive data like user emails, login names, and metadata.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.