Unauthorized access to file metadata in Accordion and Accordion Slider plugin

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

Unauthorized access to file metadata in Accordion and Accordion Slider plugin

CVE-2026-0727

Summary

The Accordion and Accordion Slider plugin for WordPress, in versions 1.4.5 and earlier, allows attackers with contributor-level access to read and modify file metadata, including file paths and captions, for any attachment on the site. This is a security risk because it could allow unauthorized users to access sensitive information or manipulate the site's content. To fix this, update the plugin to a version newer than 1.4.5.

Original title

Original description

The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.

nvd CVSS3.1 5.4

Vulnerability type

CWE-862 Missing Authorization

Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026