Skip to main content

Easy Accordion CVE-2026-15652

| EUVDEUVD-2026-44861 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-prj2-8qrm-q9fc
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to visit the injected page (UI:R corrected from vendor UI:N); contributor authentication required (PR:L); scope changes to victim browser (S:C); no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:48 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register contributor-level WordPress account
Delivery
Create or edit page embedding Easy Accordion block
Exploit
Inject JavaScript payload via 'align' attribute
Execution
Payload persists in WordPress database
Persist
Administrator or other user browses affected page
Impact
Malicious script executes in victim's browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account with at minimum contributor-level role on the target site; unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.4 (Medium, AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a network-reachable, low-complexity attack with a changed scope, tempered by the PR:L requirement for contributor authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or compromised a contributor-level account on a target WordPress site installs or edits a page embedding the Easy Accordion block, setting the 'align' attribute to a crafted value containing a JavaScript payload (e.g., a cookie-stealing script) via the block editor JSON or WordPress REST API. The payload is stored in the WordPress database and executes silently in the browser of any user - including site administrators - who subsequently visits that page, enabling session hijacking that could grant the attacker full administrative control of the WordPress installation. …
Remediation Update the Easy Accordion plugin to a version beyond 3.1.6 via the WordPress admin dashboard under Plugins → Updates, or via WP-CLI using wp plugin update easy-accordion-free. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy