CVE-2026-7472 Overview
CVE-2026-7472 is a time-based blind SQL injection vulnerability in the Read More & Accordion plugin for WordPress, affecting all versions up to and including 3.5.7. The flaw exists in the orderby parameter handling within the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. Authenticated attackers with administrator-level access, or any role granted permission through the yrm-user-roles setting, can inject arbitrary SQL expressions into the ORDER BY clause. Successful exploitation allows extraction of sensitive database contents, including administrator credential hashes. The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated attackers with administrator privileges can perform time-based blind SQL injection to extract administrator credential hashes and other sensitive data from the WordPress database.
Affected Products
- Read More & Accordion plugin for WordPress (versions ≤ 3.5.7)
- WordPress sites with the expand-maker plugin installed and active
- WordPress installations where non-admin roles have been granted plugin access via yrm-user-roles
Discovery Timeline
- 2026-05-20 - CVE-2026-7472 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-7472
Vulnerability Analysis
The vulnerability resides in ReadMoreData.php within the getAllDataByLimit() and getAccordionAllDataByLimit() functions. The plugin reads the $_GET['orderby'] value from the request, passes it through esc_attr(), and forwards it to database query construction. esc_attr() is an HTML attribute-escaping function and provides no SQL safety. The value is then processed by esc_sql() and concatenated directly into the ORDER BY fragment of a SQL query before $wpdb->prepare() is invoked.
Root Cause
The root cause is the misuse of esc_sql() in an unquoted SQL context. esc_sql() escapes only single quotes, double quotes, NUL bytes, and backslashes — characters that have no syntactic meaning inside an unquoted ORDER BY clause. Because the attacker-controlled value is concatenated without surrounding quotes, no escaping occurs that would block SQL keywords, parentheses, or subqueries. WordPress documentation explicitly warns that esc_sql() is insufficient for identifiers or ORDER BY values, which require $wpdb->prepare() with %i placeholders or strict allowlisting.
Attack Vector
An authenticated attacker with administrator access, or a lower-privileged role explicitly permitted via the yrm-user-roles setting, sends a crafted GET request to the plugin's admin listing pages (views/readMorePagesView.php or views/accordionBuilder/list.php). The orderby parameter carries a payload such as (SELECT SLEEP(5)) or a conditional subquery like (CASE WHEN (SUBSTRING((SELECT user_pass FROM wp_users LIMIT 1),1,1)='a') THEN SLEEP(5) ELSE 0 END). The server's response delay reveals one bit of data per request, enabling byte-by-byte extraction of credential hashes and other secrets.
No verified proof-of-concept code is available. See the Wordfence Vulnerability Report and the vulnerable code in ReadMoreData.php for technical details.
Detection Methods for CVE-2026-7472
Indicators of Compromise
- Authenticated HTTP GET requests to WordPress admin pages containing orderby parameter values with SQL keywords such as SLEEP, BENCHMARK, SELECT, CASE, WHEN, or unbalanced parentheses.
- Repeated requests from the same authenticated session to readMorePagesView.php or accordionBuilder/list.php with sequentially varying orderby payloads, indicating bit-by-bit data extraction.
- Database query logs containing unquoted SQL expressions in ORDER BY clauses originating from the expand-maker plugin.
Detection Strategies
- Inspect WordPress access logs and web application firewall logs for orderby parameter values containing parentheses, SQL functions, or arithmetic operators.
- Enable MySQL slow query logging and correlate queries exceeding response thresholds with the corresponding HTTP request that triggered them.
- Deploy WAF rules that block SQL keywords appearing in orderby, order, or similar sort parameters on WordPress administrative endpoints.
Monitoring Recommendations
- Monitor administrator and editor account activity for unusual sequences of requests to plugin admin pages.
- Alert on response-time anomalies on /wp-admin/ endpoints, which can indicate time-based blind injection probing.
- Track installation and version state of the expand-maker plugin across WordPress fleets and flag any instance running version 3.5.7 or earlier.
How to Mitigate CVE-2026-7472
Immediate Actions Required
- Identify all WordPress sites running the Read More & Accordion (expand-maker) plugin and confirm the installed version.
- Update the plugin to a patched release once published by the vendor, or deactivate and remove it if a patch is unavailable.
- Audit the yrm-user-roles setting and revoke plugin admin access from any role that does not strictly require it.
- Rotate WordPress administrator passwords and invalidate active sessions if exploitation is suspected.
Patch Information
At the time of publication, no fixed version had been identified in the available references. Administrators should consult the Wordfence Vulnerability Report and the WordPress.org plugin page for the latest patched release.
Workarounds
- Deactivate the Read More & Accordion plugin until a patched version is available.
- Restrict the yrm-user-roles setting to administrators only, reducing the population of accounts able to reach the vulnerable code path.
- Deploy a web application firewall rule that rejects requests to plugin admin views containing non-allowlisted characters in the orderby parameter.
- Apply principle of least privilege to the database user configured in wp-config.php to limit data accessible through injection.
# Example WAF rule (ModSecurity) to block SQL keywords in orderby parameter
SecRule ARGS:orderby "@rx (?i)(select|sleep|benchmark|union|case\s+when|\(|\))" \
"id:1002026,phase:2,deny,status:403,log,msg:'CVE-2026-7472 SQLi attempt in orderby'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
