CVE-2026-7467
Privilege Escalation in Read More & Accordion WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_plugin | read_more_and_accordion | to 3.5.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Read More & Accordion plugin for WordPress has a vulnerability in versions up to and including 3.5.7 that allows privilege escalation. This happens because the 'RadMoreAjax::importData' function does not restrict which database tables can be written to during data import and fails to properly validate the imported data.
As a result, authenticated attackers who have permissions granted by the site owner through the plugin's role settings can insert arbitrary rows into critical database tables such as 'wp_users' and 'wp_usermeta'. This includes modifying the 'wp_capabilities' field, which can allow them to create a new administrator account and gain full administrator access to the WordPress site.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker with some level of authenticated access to escalate their privileges to full administrator rights on the WordPress site.
- Creation of new administrator accounts by attackers.
- Full control over the website, including the ability to modify content, install malicious code, or change site settings.
- Potential compromise of sensitive data stored on the site.
- Disruption of website operations and loss of trust from users.