{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0727", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-08T14:53:42.062Z", "datePublished": "2026-02-14T06:42:26.388Z", "dateUpdated": "2026-04-08T16:39:42.849Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:39:42.849Z"}, "affected": [{"vendor": "essentialplugin", "product": "Accordion and Accordion Slider", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."}], "title": "Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "timeline": [{"time": "2025-12-27T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-08T18:23:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-13T18:20:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T20:14:31.152757Z", "id": "CVE-2026-0727", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:14:39.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0727", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T20:14:31.152757Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T20:14:34.635Z"}}], "cna": {"title": "Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification", "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "essentialplugin", "product": "Accordion and Accordion Slider", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-27T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-08T18:23:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-13T18:20:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"}], "descriptions": [{"lang": "en", "value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:39:42.849Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0727", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:39:42.849Z", "dateReserved": "2026-01-08T14:53:42.062Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:26.388Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site."}, {"lang": "es", "value": "El plugin Accordion y Accordion Slider para WordPress es vulnerable a una omisi\u00f3n de autorizaci\u00f3n en todas las versiones hasta la 1.4.5, inclusive. Esto se debe a que el plugin no verifica correctamente que un usuario est\u00e1 autorizado para realizar una acci\u00f3n en las funciones 'wp_aas_save_attachment_data' y 'wp_aas_get_attachment_edit_form'. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador o superior, lean y modifiquen metadatos de adjuntos, incluyendo rutas de archivo, t\u00edtulos, leyendas, texto alternativo y enlaces personalizados para cualquier adjunto en el sitio."}], "id": "CVE-2026-0727", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:08.590", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/accordion-and-accordion-slider/tags/1.4.6/includes/admin/class-wp-aas-admin.php#L294"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c5108f3-d80c-4646-8d40-3bdd1361c6ab?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}], "product": "accordion_and_accordion_slider", "vendor": "essentialplugin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:39:53.241839+00:00", "value": {"mitigation_remediation": ["Upgrade Accordion and Accordion Slider to version 1.4.6 or later. The new release adds proper authorization checks for modifying attachment data.", "Restrict the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' endpoints to administrators only by adjusting user role capabilities or using a role\u2011management plugin.", "If upgrading is not feasible, consider removing the plugin altogether or replacing it with a trusted alternative that has proper access controls."], "summary": {"action": "Apply Patch", "impact": "Authorization bypass allows authenticated contributors to modify all attachment metadata"}, "threat_synthesis": {"affected_systems": "Believed to affect the Essential Plugin Accordion and Accordion Slider for WordPress. Versions up to and including 1.4.5 are vulnerable. The problem exists in plugins built on WordPress and is triggered when the user has contributor-level access or higher.", "description_and_impact": "The Accordion and Accordion Slider plugin for WordPress has an authorization bypass that enables authenticated contributors and higher roles to read and modify any attachment metadata, including file paths, titles, captions, alt text, and custom links. This flaw is classified as CWE\u2011862, indicating an inadequate check of the user\u2019s authorization before allowing data modification. While the vulnerability does not grant code execution, it permits an attacker to alter media references and potentially deface or mislead users by changing image metadata.", "risk_and_exploitability": "The CVSS score is 5.4, indicating a moderate severity. The EPSS score is below 1%, meaning current exploitation attempts are infrequent. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user who can authenticate to the WordPress site with a contributor role or higher and then use the admin functions 'wp_aas_save_attachment_data' or 'wp_aas_get_attachment_edit_form' to change attachment metadata. There are no external trigger requirements beyond normal authenticated site access."}}}}, "created": "2026-02-16T12:03:10.309338+00:00", "updated": "2026-04-15T20:45:06.387628+00:00", "vendors": ["essentialplugin", "essentialplugin$PRODUCT$accordion_and_accordion_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}