PT-2026-42074 · WordPress · Read More & Accordion
Bima Ikhsan
·
Published
2026-05-20
·
Updated
2026-05-28
·
CVE-2026-7472
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Read More & Accordion versions prior to 3.5.8
Description
The Read More & Accordion plugin for WordPress contains a time-based blind SQL Injection. This occurs because the
orderby parameter is processed using esc attr() and esc sql() but is concatenated without quotes into an ORDER BY clause within the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. Since esc sql() only escapes quotes and backslashes, it is ineffective in an unquoted context, allowing authenticated attackers with administrator-level access or roles permitted via the yrm-user-roles setting to inject arbitrary SQL expressions. This can lead to the extraction of sensitive database information, such as administrator credential hashes.Recommendations
Update the plugin to a version later than 3.5.7.
As a temporary workaround, restrict access to the
orderby parameter or the plugin's admin pages to the minimum necessary users until the update is applied.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Read More & Accordion