Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS.
This issue affects Accordion FAQ: from n/a through 2.2.1.
AnalysisAI
Reflected cross-site scripting in the UnboundStudio Accordion FAQ WordPress plugin (versions through 2.2.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser session by luring them to click a crafted link. The CVSS 7.1 score reflects scope change (S:C), meaning script execution can affect resources beyond the vulnerable component, such as the WordPress admin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in the PressApps Accordion FAQ plugin for WordPress, identified by CPE cpe:2.3:a:unboundstudio:accordion_faq. Reflected XSS occurs when user-supplied input is echoed back into an HTTP response without proper output encoding or contextual escaping, allowing an attacker to inject HTML/JavaScript that executes in the victim's browser under the origin of the WordPress site hosting the plugin. The scope change indicator (S:C) in the CVSS vector suggests the injected script can impact a different security authority - typical in WordPress XSS where a script delivered through a plugin context can manipulate admin-area DOM or session data.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory only confirms that versions through 2.2.1 are vulnerable, with no fix version cited. Administrators should monitor the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pressapps-accordion-faq/vulnerability/wordpress-accordion-faq-plugin-2-2-1-cross-site-scripting-xss-vulnerability) for an updated release and upgrade as soon as one is published. In the interim, deactivate and remove the Accordion FAQ plugin if it is not business-critical (trade-off: loss of FAQ functionality on the site), deploy a Web Application Firewall rule that strips or blocks suspicious query-string and form parameters reaching plugin endpoints (trade-off: potential false positives on legitimate admin traffic), and instruct WordPress administrators to avoid clicking unsolicited links pointing to their own site domain since reflected XSS exploitation requires victim interaction.
More in Accordion Faq
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210033
GHSA-4875-pvww-f65w