CVE-2026-24565

B Accordion <= 2.0.2 - Authenticated (Contributor+) Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.3
Patched in
84d
Time to patch

Description

The Accordion – Add Horizontal / Vertical Accordion in WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.0.2
PublishedJanuary 21, 2026
Last updatedApril 14, 2026
Affected pluginb-accordion

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the strategy for investigating and exploiting **CVE-2026-24565** in the "B Accordion" WordPress plugin. ## 1. Vulnerability Summary The **B Accordion** plugin (versions <= 2.0.2) contains an **Information Exposure** vulnerability. Authenticated users with at least **Cont…

Show full research plan

This research plan outlines the strategy for investigating and exploiting CVE-2026-24565 in the "B Accordion" WordPress plugin.

1. Vulnerability Summary

The B Accordion plugin (versions <= 2.0.2) contains an Information Exposure vulnerability. Authenticated users with at least Contributor-level permissions can access sensitive information, likely because an AJAX handler or REST API endpoint intended for administrative use fails to perform adequate capability checks (e.g., current_user_can('manage_options')) or returns overly verbose data objects (like full User objects or Site Settings).

2. Attack Vector Analysis

  • Endpoint: Likely a WordPress AJAX action (/wp-admin/admin-ajax.php) or a custom REST API route (/wp-json/...).
  • Action Name (Inferred): Look for strings like b_accordion_, get_users, fetch_config, or accordion_search.
  • Authentication: Requires a Contributor-level account. This is significant because Contributors can access the post editor where Gutenberg blocks are rendered.
  • Payload: An HTTP request (GET or POST) to the vulnerable endpoint, potentially with parameters to query specific data (e.g., user_id, query, or setting).
  • Precondition: The attacker must be logged in as a Contributor.

3. Code Flow

  1. Entry Point: The plugin registers a hook using add_action( 'wp_ajax_...', ... ) or register_rest_route( 'b-accordion/v1', ... ).
  2. Capability Check (Missing/Weak): The callback function likely lacks a check like if ( ! current_user_can( 'manage_options' ) ). It might only check is_user_logged_in(), which is true for Contributors.
  3. Data Retrieval: The code executes a query such as get_users(), get_userdata(), or get_option().
  4. Information Exposure: The resulting data (which may include emails, user metadata, or system paths) is returned via wp_send_json_success().

4. Nonce Acquisition Strategy

Since this is a Contributor+ vulnerability, the attacker has access to the WordPress admin dashboard (specifically the post editor).

  1. Identify the Script/Variable: Examine the source code for wp_localize_script. Look for a variable related to b-accordion.
  2. Setup: Create a post as a Contributor and include the B Accordion block.
  3. Extraction:
    • Navigate to the post editor: /wp-admin/post-new.php.
    • Use browser_eval to extract the nonce and the REST base URL.
    • Likely JS Variable: window.b_accordion_data or window.wpApiSettings.
    • Command: browser_eval("window.wpApiSettings.nonce") (for REST) or browser_eval("b_accordion_obj.nonce") (for AJAX).

5. Exploitation Strategy

Step 1: Discovery

Locate the vulnerable endpoint. Use grep on the plugin directory:

grep -rnE "wp_ajax_|register_rest_route" /var/www/html/wp-content/plugins/b-accordion/

Search for sensitive functions in the results:

grep -rnE "get_users|get_userdata|get_option|wp_user_query" /var/www/html/wp-content/plugins/b-accordion/

Step 2: Request Construction

Once the action/route is found, craft the request using http_request.

Example (AJAX Hypothesis):

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Body: action=[ACTION_NAME]&_ajax_nonce=[NONCE]&user_id=1
  • Headers: Include Cookie from the Contributor session.

Example (REST Hypothesis):

  • URL: http://localhost:8080/wp-json/b-accordion/v1/[ENDPOINT]
  • Method: GET
  • Headers: X-WP-Nonce: [NONCE]

Step 3: Payload

If the vulnerability allows querying users, try to dump the administrator (ID 1) details:
action=b_accordion_get_user_details&user_id=1

6. Test Data Setup

  1. Users: Ensure an Administrator exists (User ID 1) with sensitive metadata (e.g., a phone number or private email).
  2. Attacker Account: Create a user with the Contributor role.
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  3. Plugin Setup: Activate b-accordion.

7. Expected Results

  • Successful Exploitation: The response body contains JSON data containing sensitive fields such as user_email, user_login, display_name, or potentially meta_value entries from the wp_usermeta table.
  • Proof of Concept: A JSON response showing the Administrator's email address when requested by the Contributor.

8. Verification Steps

  1. Verify the data returned matches the database:
    wp user get 1 --fields=user_email,user_login
    
  2. Confirm that an unauthenticated user (no cookies) cannot access the same endpoint (should return 401 or 403).

9. Alternative Approaches

  • Parameter Brute Forcing: If the endpoint takes an ID, iterate from 1-10 to see if different user data is leaked.
  • Search Parameters: If the endpoint is a search function, use % or * to see if it returns a list of all users.
  • Site Configuration: Check if the plugin leaks get_option data. Look for endpoints that might return site settings which could contain API keys for other services.
Research Findings
Static analysis — not yet PoC-verified

Summary

The B Accordion plugin for WordPress is vulnerable to Information Exposure in versions up to 2.0.2 due to insufficient capability checks on data-retrieval endpoints. This allows authenticated attackers with Contributor-level permissions or higher to access sensitive information, such as user details or site configurations, that should be restricted to administrators.

Exploit Outline

An attacker with Contributor-level access can exploit this vulnerability by first logging into the WordPress admin dashboard and accessing the post editor to create or edit a post containing a B Accordion block. From the editor page, the attacker can extract required security nonces and endpoint details from localized JavaScript objects (such as 'wpApiSettings' for REST routes or plugin-specific objects like 'b_accordion_obj'). By crafting an HTTP request to the vulnerable endpoint (e.g., an AJAX action at admin-ajax.php or a REST route under /wp-json/b-accordion/v1/) with the captured nonce, the attacker can trigger functions like get_users() or get_option() and receive a JSON response containing sensitive data like user emails, login names, and metadata.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.