Attack Chain

1. An attacker gains authenticated access to a WordPress site. This access level must have the permission to use the Read More & Accordion plugin’s import feature.
2. The attacker crafts a malicious payload designed to create a new administrator user. This payload includes entries for the wp_users and wp_usermeta tables.
3. The malicious payload is submitted to the RadMoreAjax::importData function through the plugin’s import functionality.
4. The RadMoreAjax::importData function fails to properly validate the data, allowing the attacker’s crafted entries to be processed.
5. New rows are inserted into the wp_users and wp_usermeta tables, effectively creating a new user account.
6. The wp_usermeta table is populated with metadata for the new user, including the wp_capabilities field. This field is set to grant the user administrator privileges.
7. The attacker logs in to the WordPress site using the newly created administrator account.
8. The attacker now has full control over the compromised WordPress site, including the ability to install plugins, modify themes, and access sensitive data.

Impact

Successful exploitation of CVE-2026-7467 allows an attacker to gain complete administrative control over a WordPress website. This can lead to data theft, website defacement, malware distribution, and other malicious activities. The severity is high due to the ease of exploitation for authenticated users and the potential for complete system compromise. The number of potentially affected websites is significant, as the Read More & Accordion plugin is a widely used WordPress plugin.

Recommendation

• Upgrade the Read More & Accordion plugin to a version greater than 3.5.7 to patch CVE-2026-7467.
• Implement the Sigma rule “Detect CVE-2026-7467 Exploitation Attempt via Read More & Accordion Plugin Import” to detect attempts to exploit this vulnerability in real-time.
• Review user roles and permissions within WordPress to ensure that only trusted users have access to plugin import functionality.