Skip to content
Threat Feed
high advisory

CVE-2026-7467: WordPress Read More & Accordion Plugin Privilege Escalation

The Read More & Accordion plugin for WordPress is vulnerable to privilege escalation due to insufficient restrictions on database table writes and data validation during import, allowing authenticated attackers to create administrator accounts.

The Read More & Accordion plugin, versions 3.5.7 and earlier, contains a privilege escalation vulnerability (CVE-2026-7467). The vulnerability resides within the RadMoreAjax::importData function. Insufficient input validation and a lack of restrictions on database table writes during the import process allow authenticated attackers with plugin-granted permissions to manipulate critical database tables. By inserting arbitrary rows into the wp_users and wp_usermeta tables, including the wp_capabilities field, attackers can effectively create rogue administrator accounts. This flaw allows them to gain complete administrative control over the affected WordPress site.

Attack Chain

  1. An attacker gains authenticated access to a WordPress site. This access level must have the permission to use the Read More & Accordion plugin’s import feature.
  2. The attacker crafts a malicious payload designed to create a new administrator user. This payload includes entries for the wp_users and wp_usermeta tables.
  3. The malicious payload is submitted to the RadMoreAjax::importData function through the plugin’s import functionality.
  4. The RadMoreAjax::importData function fails to properly validate the data, allowing the attacker’s crafted entries to be processed.
  5. New rows are inserted into the wp_users and wp_usermeta tables, effectively creating a new user account.
  6. The wp_usermeta table is populated with metadata for the new user, including the wp_capabilities field. This field is set to grant the user administrator privileges.
  7. The attacker logs in to the WordPress site using the newly created administrator account.
  8. The attacker now has full control over the compromised WordPress site, including the ability to install plugins, modify themes, and access sensitive data.

Impact

Successful exploitation of CVE-2026-7467 allows an attacker to gain complete administrative control over a WordPress website. This can lead to data theft, website defacement, malware distribution, and other malicious activities. The severity is high due to the ease of exploitation for authenticated users and the potential for complete system compromise. The number of potentially affected websites is significant, as the Read More & Accordion plugin is a widely used WordPress plugin.

Recommendation

  • Upgrade the Read More & Accordion plugin to a version greater than 3.5.7 to patch CVE-2026-7467.
  • Implement the Sigma rule “Detect CVE-2026-7467 Exploitation Attempt via Read More & Accordion Plugin Import” to detect attempts to exploit this vulnerability in real-time.
  • Review user roles and permissions within WordPress to ensure that only trusted users have access to plugin import functionality.

Detection coverage 2

Detect CVE-2026-7467 Exploitation Attempt via Read More & Accordion Plugin Import

high

Detects CVE-2026-7467 exploitation — an attempt to inject malicious data via the Read More & Accordion plugin import functionality, potentially leading to privilege escalation by creating rogue administrator accounts.

sigma tactics: cve-2026-7467, privilege_escalation techniques: T1068 sources: webserver

Detect Potential Administrator Account Creation via Plugin Import

medium

Detects the creation of a new administrator account by monitoring for inserts into the wp_users table with corresponding wp_capabilities updates during plugin import operations.

sigma tactics: cve-2026-7467, privilege_escalation techniques: T1068 sources: webserver

Detection queries are available on the platform. Get full rules →