PT-2026-42074 · WordPress · Read More & Accordion

Bima Ikhsan

·

Published

2026-05-20

·

Updated

2026-05-28

·

CVE-2026-7472

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Read More & Accordion versions prior to 3.5.8
Description The Read More & Accordion plugin for WordPress contains a time-based blind SQL Injection. This occurs because the orderby parameter is processed using esc attr() and esc sql() but is concatenated without quotes into an ORDER BY clause within the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. Since esc sql() only escapes quotes and backslashes, it is ineffective in an unquoted context, allowing authenticated attackers with administrator-level access or roles permitted via the yrm-user-roles setting to inject arbitrary SQL expressions. This can lead to the extraction of sensitive database information, such as administrator credential hashes.
Recommendations Update the plugin to a version later than 3.5.7. As a temporary workaround, restrict access to the orderby parameter or the plugin's admin pages to the minimum necessary users until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7472

Affected Products

Read More & Accordion