{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6443", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-16T18:22:16.366Z", "datePublished": "2026-04-17T06:44:49.128Z", "dateUpdated": "2026-04-17T06:44:49.128Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T06:44:49.128Z"}, "affected": [{"vendor": "essentialplugin", "product": "Accordion and Accordion Slider", "versions": [{"version": "1.4.6", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."}], "title": "Accordion and Accordion Slider 1.4.6 - Injected Backdoor", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"}, {"url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-506 Embedded Malicious Code", "cweId": "CWE-506", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Eu Joe Chegne"}, {"lang": "en", "type": "finder", "value": "Damien"}], "timeline": [{"time": "2026-04-16T18:38:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Accordion and Accordion Slider plugin for WordPress is vulnerable to an injected backdoor in version 1.4.6. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites."}], "id": "CVE-2026-6443", "lastModified": "2026-04-17T07:16:03.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T07:16:03.160", "references": [{"source": "security@wordfence.com", "url": "https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.4.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Accordion and Accordion Slider", "source": "cna", "vendor": "essentialplugin"}, "product": "accordion_and_accordion_slider", "vendor": "essentialplugin"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T09:22:00.360859+00:00", "value": {"mitigation_remediation": ["Uninstall the vulnerable Accordion and Accordion Slider plugin, then reinstall a clean version from the official WordPress plugin repository.", "Scan all site files, especially the plugin directory, for injected or hard\u2011coded credentials and remove any malicious code found.", "Review site users and permissions for any unauthorized accounts that may have been added by the backdoor, removing them and resetting passwords as needed."], "summary": {"action": "Immediate Patch", "impact": "Persistent backdoor and spam injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Accordion and Accordion Slider, version\u202f1.4.6, sold by essentialplugin. Any WordPress site installing this exact version is directly impacted. No other versions or products are listed as affected.", "description_and_impact": "The Accordion and Accordion Slider plugin for WordPress is vulnerable because version\u202f1.4.6 contains an injected backdoor that was embedded by a malicious third\u2011party during the plugin\u2019s sale, reflecting a CWE\u2011506 vulnerability that introduces code with elevated privileges. The backdoor allows an attacker to maintain persistent access to the affected sites and inject spam or perform other malicious actions. Based on the description, it is inferred that this presents a high\u2011level risk of unauthorized code execution, data compromise, and broader site compromise.", "risk_and_exploitability": "With a CVSS score of 9.8, this issue is considered critical. The EPSS score is not available, but the backdoor appears to have already been deployed in many sites, suggesting a significant exploitation risk. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is straightforward: sites that deploy the compromised plugin are immediately compromised, providing an attacker with a full backdoor and spam capabilities."}}}}, "created": "2026-04-17T09:00:10.725978+00:00", "updated": "2026-04-17T09:30:14.469012+00:00", "vendors": ["essentialplugin", "essentialplugin$PRODUCT$accordion_and_accordion_slider", "wordpress", "wordpress$PRODUCT$wordpress"]}