CVE-2026-15652 Overview
CVE-2026-15652 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress. The flaw affects all versions up to and including 3.1.6. The vulnerability originates in the plugin's ShortcodeBlock.php handler, which processes the align block attribute without sufficient input sanitization or output escaping. Authenticated users with contributor-level access or higher can inject arbitrary JavaScript that executes in the browser of any visitor who views the affected page.
Critical Impact
Authenticated contributors can persist malicious scripts in WordPress pages, enabling session theft, administrative account takeover, and redirection of site visitors to attacker-controlled infrastructure.
Affected Products
- Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress
- All versions up to and including 3.1.6
- WordPress sites permitting contributor-level or higher user registration
Discovery Timeline
- 2026-07-16 - CVE-2026-15652 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-15652
Vulnerability Analysis
The vulnerability resides in the Gutenberg block rendering logic of the Easy Accordion plugin. When a user configures an accordion block, the align attribute value is passed from the block editor into server-side rendering code in ShortcodeBlock.php at lines 127, 150, and 153. The plugin concatenates this attribute directly into HTML output without applying WordPress escaping functions such as esc_attr() or a strict allowlist of valid alignment values.
Because the align attribute is expected to be a short keyword like left, center, or right, the developer treated it as trusted data. An attacker instead supplies a payload that breaks out of the HTML attribute context and injects a script element or event handler. The stored payload persists in post content and executes for every user who loads the page.
Root Cause
The root cause is missing input sanitization and missing output escaping on a Gutenberg block attribute. WordPress requires plugins to sanitize saved block attributes and escape them at render time. The plugin performs neither operation on the align value, resulting in a persistent client-side injection primitive.
Attack Vector
Exploitation requires a contributor-level or higher account on the target WordPress site. The attacker crafts a post containing an Easy Accordion block and manipulates the block markup to place a JavaScript payload in the align attribute. When the post is saved and later viewed by an administrator or site visitor, the injected script runs in that user's browser session, allowing cookie theft, cross-site request forgery against administrative endpoints, or arbitrary DOM manipulation.
Refer to the Wordfence Vulnerability Analysis and the vulnerable code paths in ShortcodeBlock.php Line 127 for technical details.
Detection Methods for CVE-2026-15652
Indicators of Compromise
- Posts or pages containing Easy Accordion blocks with unusual characters in the align attribute such as quotes, angle brackets, or on* event handler names
- Outbound requests from browsers of authenticated users to unfamiliar domains shortly after loading pages containing accordion content
- Newly created administrative accounts or unexpected role changes following contributor activity on affected sites
Detection Strategies
- Audit the WordPress wp_posts table for accordion block markup containing <script, javascript:, or event handler patterns within align attribute values
- Review web server access logs for POST requests to wp-admin/post.php from contributor accounts that include suspicious block attribute payloads
- Monitor the WordPress plugin version and confirm it is above the vulnerable 3.1.6 release
Monitoring Recommendations
- Enable a Content Security Policy (CSP) that restricts inline script execution to detect and block injected payloads
- Alert on contributor and author account activity that includes creation or modification of pages containing custom block markup
- Ingest WordPress access and audit logs into a centralized logging platform for correlation of suspicious block editing and subsequent administrator page views
How to Mitigate CVE-2026-15652
Immediate Actions Required
- Update the Easy Accordion plugin to a version newer than 3.1.6 as soon as the patched release is available
- Audit all contributor, author, and editor accounts and remove any that are not required for site operations
- Review existing posts and pages for Easy Accordion blocks and inspect their align attribute values for injected payloads
Patch Information
The vendor addressed the issue in a subsequent release. Review the WordPress Revision Changeset to confirm sanitization and escaping have been added to the align attribute handling in ShortcodeBlock.php. Site administrators should apply the update through the WordPress plugin management console and verify the installed version afterward.
Workarounds
- Temporarily deactivate the Easy Accordion plugin until the patched version is installed
- Restrict contributor and author role assignments to trusted users only, since exploitation requires an authenticated account
- Deploy a web application firewall rule that blocks requests containing script tags or event handlers in Gutenberg block attributes
# Confirm installed Easy Accordion plugin version via WP-CLI
wp plugin get easy-accordion-free --field=version
# Deactivate the plugin until a fixed version is available
wp plugin deactivate easy-accordion-free
# Search post content for suspicious align attribute payloads
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%\"align\":%<%' OR post_content LIKE '%\"align\":%javascript:%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

