CVE-2020-13644

Name of the Vulnerable Software and Affected Versions Accordion plugin versions prior to 2.2.9

Description An issue in the Accordion plugin for WordPress allows any authenticated user with Subscriber or higher permissions to import a new accordion and inject malicious JavaScript. This is due to the unprotected AJAX wp ajax accordions ajax import json action.

Recommendations For versions prior to 2.2.9, update to version 2.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp ajax accordions ajax import json AJAX action to prevent malicious JavaScript injection.