Skip to main content

WordPress CVE-2026-6443

| EUVDEUVD-2026-23384 CRITICAL
Embedded Malicious Code (CWE-506)
2026-04-17 Wordfence
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 17, 2026 - 07:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 07:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 07:12 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 07:00 euvd
EUVD-2026-23384
Analysis Generated
Apr 17, 2026 - 07:00 vuln.today
CVE Published
Apr 17, 2026 - 06:44 nvd
CRITICAL 9.8

DescriptionCVE.org

The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

AnalysisAI

Malicious backdoor in Accordion and Accordion Slider plugin version 1.4.6 allows remote unauthenticated attackers complete site compromise. The plugin was sold to a threat actor who systematically embedded backdoors across their entire portfolio of acquired WordPress plugins. This represents confirmed active supply chain compromise affecting WordPress sites running version 1.4.6, enabling persistent unauthorized access and spam injection without authentication.

Technical ContextAI

This is a supply chain attack (CWE-506: Embedded Malicious Code) targeting the WordPress plugin ecosystem. The threat actor acquired ownership of multiple WordPress plugins, including Accordion and Accordion Slider (identified by CPE cpe:2.3:a:essentialplugin:accordion_and_accordion_slider), and intentionally inserted backdoor code into version 1.4.6. Unlike typical vulnerabilities arising from coding errors, this is deliberate malicious code injection by the plugin maintainer. The backdoor operates at the WordPress PHP execution level, granting the attacker arbitrary code execution capabilities within the WordPress context. This attack pattern mirrors previous WordPress supply chain incidents where plugin ownership transfers resulted in malicious updates being distributed through legitimate WordPress.org channels, affecting users who trust automatic updates.

RemediationAI

Immediately remove Accordion and Accordion Slider version 1.4.6 from all WordPress installations - do not attempt to update through normal channels as the plugin owner is the threat actor. Deactivate and delete the plugin completely via WordPress admin dashboard (Plugins → Deactivate → Delete) or manually remove the plugin directory from wp-content/plugins/. After removal, conduct incident response procedures: review admin user accounts for unauthorized additions, check wp-config.php and .htaccess files for modifications, scan uploads directory for webshells, review recent post/page edits for injected spam content, and examine database wp_options table for suspicious entries. Rotate all WordPress admin passwords and API keys. Consider full site restoration from pre-1.4.6 backup if available. Check WordPress.org plugin page for ownership status before considering any replacement accordion plugin. Install Wordfence or similar security plugin to scan for indicators of compromise. WordPress.org has likely removed the malicious version from their repository, but sites with version 1.4.6 already installed remain compromised until manual removal. No legitimate patched version exists - the plugin itself is the threat vector. Consult Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba and Anchor.host analysis at https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/ for additional context.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-6443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy