A PHP Object Injection vulnerability has been identified in the WordPress Read More & Accordion Plugin. This vulnerability could allow a malicious actor to execute code injection, SQL injection, path traversal, denial of service, and more if a proper POP chain is present.

This vulnerability was discovered and responsibly reported by Do Xuan Trung.

The vulnerability is a PHP Object Injection vulnerability that occurs in the read-more-accordion.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious PHP code into the website.


The vulnerability has a CVSS 3.1 score of 6.6, which is considered to be medium. This means that the vulnerability is moderately exploitable and could have a moderate impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Read More & Accordion Plugin.


An attacker who successfully exploits this vulnerability could:

  • Execute arbitrary code on the affected website.
  • Inject malicious SQL code into the database.
  • Perform path traversal attacks.
  • Cause a denial of service attack.


Users of the Read More & Accordion Plugin can take the following actions :

  • Deactivate and Remove the Plugin: In the absence of an available patch, it’s advisable to deactivate and remove the Read More & Accordion Plugin from WordPress installation. Doing so can help mitigate the associated risks until a suitable solution is released.
  • Monitor for Updates: Regularly check the WordPress plugin repository for updates or patches provided by the plugin’s developer