{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1904", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T15:12:30.893Z", "datePublished": "2026-02-14T04:35:41.605Z", "dateUpdated": "2026-04-08T17:04:21.457Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:21.457Z"}, "affected": [{"vendor": "nayon46", "product": "Simple Wp colorfull Accordion", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8444743c-ba57-4a51-990c-eb9058829d09?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/trunk/Simple-Wp-colorfull-Accordion.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/tags/1.0/Simple-Wp-colorfull-Accordion.php#L60"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2026-02-13T16:22:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T20:34:12.952133Z", "id": "CVE-2026-1904", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T20:34:20.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T20:34:12.952133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T20:34:17.253Z"}}], "cna": {"title": "Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "nayon46", "product": "Simple Wp colorfull Accordion", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T16:22:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8444743c-ba57-4a51-990c-eb9058829d09?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/trunk/Simple-Wp-colorfull-Accordion.php#L60"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/tags/1.0/Simple-Wp-colorfull-Accordion.php#L60"}], "descriptions": [{"lang": "en", "value": "The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:21.457Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1904", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:21.457Z", "dateReserved": "2026-02-04T15:12:30.893Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T04:35:41.605Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Simple Wp colorfull Accordion para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'title' en el shortcode 'accordion' en todas las versiones hasta la 1.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1904", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T05:16:19.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/tags/1.0/Simple-Wp-colorfull-Accordion.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/trunk/Simple-Wp-colorfull-Accordion.php#L60"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8444743c-ba57-4a51-990c-eb9058829d09?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0]"}}], "product": "simple_wp_colorfull_accordion", "vendor": "nayon46"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:32:03.666741+00:00", "value": {"mitigation_remediation": ["Update Simple Wp colorfull Accordion to a version newer than 1.0, if available, or uninstall the plugin entirely if not required", "Restrict the Contributor role from the ability to insert or edit accordion shortcodes, or remove Contributor permissions from the site at the time of remediation", "Deploy a request\u2011time or content\u2011filter plugin that sanitizes user\u2011supplied shortcode attributes to escape or strip script tags, ensuring that any legacy content is rendered safely"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The Simple Wp colorfull Accordion plugin provided by vendor nayon46 is affected in all released versions up to and including 1.0. No specific patch version is listed, but the issue does not exist in releases above 1.0 if they have been released.", "description_and_impact": "The vulnerability arises when the \u2018title\u2019 attribute of the accordion shortcode accepts unsanitized input, allowing a contributor or higher level user to place arbitrary JavaScript that is saved into the post content. When a victim later views the page the injected script runs in the victim\u2019s browser, giving an attacker the ability to deface the site, steal session cookies, or perform other client\u2011side attacks. The weakness is a classic reflected input\u2011validation flaw identified as CWE\u201179, and it affects the confidentiality and integrity of the web content by enabling unauthorized script execution.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% shows that only a small fraction of potential targets may exploit the flaw. The vulnerability is not catalogued in the CISA KEV list yet. Exploitation requires the attacker to have Contributor\u2011level or higher WordPress access, after which they can pre\u2011populate the \u2018title\u2019 field in an accordion shortcode. Once populated, the code is stored and executed on any subsequent page view by any user, making the attack effective only after the initial injection and any further users visiting the infected page."}}}}, "created": "2026-02-16T12:03:17.364909+00:00", "updated": "2026-04-15T18:45:11.411334+00:00", "vendors": ["nayon46", "nayon46$PRODUCT$simple_wp_colorfull_accordion", "wordpress", "wordpress$PRODUCT$wordpress"]}