Skip to main content

Accordion FAQ CVE-2025-52759

| EUVDEUVD-2025-210033 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 Patchstack GHSA-4875-pvww-f65w
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 10:21 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS.

This issue affects Accordion FAQ: from n/a through 2.2.1.

AnalysisAI

Reflected cross-site scripting in the UnboundStudio Accordion FAQ WordPress plugin (versions through 2.2.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser session by luring them to click a crafted link. The CVSS 7.1 score reflects scope change (S:C), meaning script execution can affect resources beyond the vulnerable component, such as the WordPress admin context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in the PressApps Accordion FAQ plugin for WordPress, identified by CPE cpe:2.3:a:unboundstudio:accordion_faq. Reflected XSS occurs when user-supplied input is echoed back into an HTTP response without proper output encoding or contextual escaping, allowing an attacker to inject HTML/JavaScript that executes in the victim's browser under the origin of the WordPress site hosting the plugin. The scope change indicator (S:C) in the CVSS vector suggests the injected script can impact a different security authority - typical in WordPress XSS where a script delivered through a plugin context can manipulate admin-area DOM or session data.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory only confirms that versions through 2.2.1 are vulnerable, with no fix version cited. Administrators should monitor the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pressapps-accordion-faq/vulnerability/wordpress-accordion-faq-plugin-2-2-1-cross-site-scripting-xss-vulnerability) for an updated release and upgrade as soon as one is published. In the interim, deactivate and remove the Accordion FAQ plugin if it is not business-critical (trade-off: loss of FAQ functionality on the site), deploy a Web Application Firewall rule that strips or blocks suspicious query-string and form parameters reaching plugin endpoints (trade-off: potential false positives on legitimate admin traffic), and instruct WordPress administrators to avoid clicking unsolicited links pointing to their own site domain since reflected XSS exploitation requires victim interaction.

Share

CVE-2025-52759 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy