A PHP Object Injection vulnerability has been identified in the WordPress Read More & Accordion Plugin. This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present.
This vulnerability was discovered and responsibly reported by Do Xuan Trung.
The vulnerability is a PHP Object Injection vulnerability that occurs in the read-more-accordion.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious PHP code into the website.
The vulnerability has a CVSS 3.1 score of 6.6, which is considered to be medium. This means that the vulnerability is moderately exploitable and could have a moderate impact on the affected system.
The vulnerability affects all versions of the Read More & Accordion Plugin.
An attacker who successfully exploits this vulnerability could:
- Execute arbitrary code on the affected website.
- Inject malicious SQL code into the database.
- Perform path traversal attacks.
- Cause a denial of service attack.
Users of the Read More & Accordion Plugin can take the following actions :
- Deactivate and Remove the Plugin: In the absence of an available patch, it’s advisable to deactivate and remove the Read More & Accordion Plugin from WordPress installation. Doing so can help mitigate the associated risks until a suitable solution is released.
- Monitor for Updates: Regularly check the WordPress plugin repository for updates or patches provided by the plugin’s developer