CVE-2026-7467: Read More & Accordion Privilege Escalation

CVE-2026-7467 Overview

The Read More & Accordion plugin for WordPress contains a privilege escalation vulnerability affecting all versions up to and including 3.5.7. The flaw resides in the RadMoreAjax::importData function, which fails to restrict writable database tables during import operations and does not validate imported data. Authenticated attackers granted import permissions through the plugin's role settings can insert arbitrary rows into the wp_users and wp_usermeta tables. By manipulating the wp_capabilities field, attackers create new administrator accounts and seize full control of the WordPress site. The vulnerability is classified under [CWE-269] Improper Privilege Management.

Critical Impact

Authenticated attackers with plugin-granted permissions can create administrator accounts and achieve full site takeover.

Affected Products

• Read More & Accordion plugin for WordPress, all versions through 3.5.7
• WordPress sites using the expand-maker plugin slug
• Sites where the plugin's role settings grant import permissions to non-administrator users

Discovery Timeline

• 2026-05-20 - CVE-2026-7467 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-7467

Vulnerability Analysis

The vulnerability is a privilege escalation flaw rooted in the plugin's import functionality. The RadMoreAjax::importData function processes user-supplied data intended for plugin configuration import. The function lacks two critical security controls: table name allowlisting and content validation of the imported payload.

Attackers exploit this by submitting crafted import data that targets WordPress core tables instead of plugin-specific tables. The plugin writes the attacker-controlled rows directly into wp_users for new user creation and into wp_usermeta for assigning capabilities. Setting the wp_capabilities meta field to a:1:{s:13:"administrator";b:1;} grants the new account full administrative privileges.

Because exploitation requires authenticated access with plugin-granted import permissions, the attack surface depends on site owner configuration. However, many WordPress administrators delegate plugin permissions to editor or contributor roles, expanding the exploitable population.

Root Cause

The root cause is the absence of input validation and authorization boundaries in the importData function. The function trusts that the caller-supplied table name corresponds to a plugin-owned table. No allowlist enforces this assumption, allowing the function to operate as an arbitrary database write primitive against any table the WordPress database user can access.

Attack Vector

The attack is remotely exploitable over the network through the WordPress AJAX endpoint. The attacker authenticates with a low-privilege account that has been granted plugin import permissions. The attacker then submits a malicious import payload referencing wp_users and wp_usermeta as target tables. The plugin inserts the rows without validation, creating a new administrator account the attacker can immediately use to log in.

Review the vulnerable function in the WordPress Plugin Source Code and the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2026-7467

Indicators of Compromise

• Unexpected new entries in the wp_users table, particularly accounts created outside normal registration flows
• New wp_usermeta rows containing wp_capabilities values set to administrator for recently created users
• POST requests to admin-ajax.php invoking the importData action from non-administrator sessions
• Login events from newly created administrator accounts originating from unfamiliar IP addresses

Detection Strategies

• Audit the wp_users table for accounts without corresponding registration logs or email confirmations
• Monitor wp_usermeta for wp_capabilities modifications correlated with plugin AJAX activity
• Inspect WordPress access logs for RadMoreAjax or importData action calls from low-privilege users
• Compare scheduled snapshots of administrator account lists to identify unauthorized additions

Monitoring Recommendations

• Enable WordPress audit logging plugins to capture user creation and role assignment events
• Forward web server and PHP logs to a centralized SIEM for correlation with authentication events
• Alert on creation of any new administrator account outside change-control windows
• Track plugin AJAX endpoints accessed by users below the administrator role

How to Mitigate CVE-2026-7467

Immediate Actions Required

• Update the Read More & Accordion plugin to a version newer than 3.5.7 once the vendor releases a patch
• Revoke plugin import permissions from all non-administrator roles in the plugin's role settings
• Audit existing administrator accounts and remove any unauthorized entries
• Rotate credentials and session tokens for all administrator accounts after remediation

Patch Information

As of the NVD publication date of 2026-05-20, all versions up to and including 3.5.7 are vulnerable. Site administrators should monitor the WordPress plugin repository and the Wordfence Vulnerability Report for patch availability and apply the fixed version immediately.

Workarounds

• Deactivate the Read More & Accordion plugin until a patched version is available
• Restrict the plugin's import functionality to administrator-only access by editing the plugin's role configuration
• Deploy a web application firewall rule blocking AJAX requests to the importData action from non-administrator users
• Apply database-layer least-privilege controls so the WordPress user cannot write to wp_users or wp_usermeta outside core flows where feasible

# Disable the plugin via WP-CLI until a patched version is released
wp plugin deactivate expand-maker

# List administrator accounts to identify unauthorized additions
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

# Remove an unauthorized administrator account (replace USER_ID)
wp user delete USER_ID --reassign=1