Bima Ikhsan

**Name of the Vulnerable Software and Affected Versions** Read More & Accordion versions prior to 3.5.8 **Description** The plugin is subject to privilege escalation because the `RadMoreAjax::importData()` function fails to restrict which database tables can be written to during import and does not properly validate imported data. Authenticated attackers with permissions granted via the plugin's role settings can insert arbitrary rows into the `wp users` and `wp usermeta` tables, specifically targeting the `wp capabilities` field. This allows the creation of a new administrator account to gain full site access. **Recommendations** Update to a version later than 3.5.7. As a temporary workaround, restrict the plugin's role settings to prevent unauthorized users from accessing the import functionality.

**Name of the Vulnerable Software and Affected Versions** Read More & Accordion versions prior to 3.5.8 **Description** The Read More & Accordion plugin for WordPress contains a time-based blind SQL Injection. This occurs because the `orderby` parameter is processed using `esc attr()` and `esc sql()` but is concatenated without quotes into an ORDER BY clause within the `getAllDataByLimit()` and `getAccordionAllDataByLimit()` functions in ReadMoreData.php. Since `esc sql()` only escapes quotes and backslashes, it is ineffective in an unquoted context, allowing authenticated attackers with administrator-level access or roles permitted via the `yrm-user-roles` setting to inject arbitrary SQL expressions. This can lead to the extraction of sensitive database information, such as administrator credential hashes. **Recommendations** Update the plugin to a version later than 3.5.7. As a temporary workaround, restrict access to the `orderby` parameter or the plugin's admin pages to the minimum necessary users until the update is applied.