CVE-2026-6443

CRITICAL 9.8

Accordion and Accordion Slider 1.4.6 - Injected Backdoor

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

CWE	CWE-506
Vendor	essentialplugin
Product	accordion and accordion slider
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for essentialplugin accordion and accordion slider

Be the first to know when new critical vulnerabilities affecting essentialplugin accordion and accordion slider are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

essentialplugin / Accordion and Accordion Slider

1.4.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve anchor.host: https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

Credits

Eu Joe Chegne Damien