Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to visit the injected page (UI:R corrected from vendor UI:N); contributor authentication required (PR:L); scope changes to victim browser (S:C); no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account with at minimum contributor-level role on the target site; unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.4 (Medium, AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a network-reachable, low-complexity attack with a changed scope, tempered by the PR:L requirement for contributor authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has registered or compromised a contributor-level account on a target WordPress site installs or edits a page embedding the Easy Accordion block, setting the 'align' attribute to a crafted value containing a JavaScript payload (e.g., a cookie-stealing script) via the block editor JSON or WordPress REST API. The payload is stored in the WordPress database and executes silently in the browser of any user - including site administrators - who subsequently visits that page, enabling session hijacking that could grant the attacker full administrative control of the WordPress installation. … |
| Remediation | Update the Easy Accordion plugin to a version beyond 3.1.6 via the WordPress admin dashboard under Plugins → Updates, or via WP-CLI using wp plugin update easy-accordion-free. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44861
GHSA-prj2-8qrm-q9fc