CVE-2026-7467

HIGH 8.8

Read More & Accordion <= 3.5.7 - Privilege Escalation via importData

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

12th

The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin's role settings, to insert arbitrary rows into the 'wp_users' and 'wp_usermeta' tables, including the 'wp_capabilities' field, allowing them to create a new administrator account and gain administrator access to the site.

CWE	CWE-269
Vendor	edmonparker
Product	read more & accordion
Published	May 20, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for edmonparker read more & accordion

Be the first to know when new high vulnerabilities affecting edmonparker read more & accordion are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

edmonparker / Read More & Accordion

0 ≤ 3.5.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/adf51c03-b0bb-4864-b64d-6b0cba4b0130?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.5/files/RadMoreAjax.php#L62

Credits

BIMA IKHSAN