Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
Simple Wp Colorfull Accordion Plugin Allows Malicious Scripts on WordPress Sites
CVE-2026-1904
Summary
The Simple Wp Colorfull Accordion plugin for WordPress has a security flaw that lets attackers inject malicious code into pages. This can happen when an attacker with contributor or higher access edits the plugin's shortcode, allowing them to run scripts on any page that uses the accordion. To fix this, update the plugin to the latest version or remove it if you don't use it.
Original title
The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 ...
Original description
The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026