The Accordion and Accordion Slider plugin for WordPress suffers from a missing authorization check vulnerability identified as CVE-2026-0727 (CWE-862). This vulnerability affects all versions up to and including 1.4.5. The root cause is the plugin's failure to verify that a user is authorized to perform sensitive actions within the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. As a result, any authenticated user with contributor-level permissions or higher can bypass intended access controls to read and modify attachment metadata. This metadata includes critical information such as file paths, titles, captions, alternative text, and custom links associated with media attachments on the WordPress site. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 5.4, reflecting a medium severity level due to the low complexity of exploitation (low attack complexity), network attack vector, and limited privileges required (low privileges). The impact primarily affects confidentiality and integrity, as unauthorized users can view and alter media metadata, potentially leading to misinformation, content manipulation, or indirect exposure of sensitive file paths. Availability is not impacted. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where contributor-level users are common. The plugin vendor has not yet provided patches, so mitigation strategies are critical to reduce risk.

This vulnerability allows authenticated users with contributor-level access or higher to bypass authorization controls and manipulate media attachment metadata. The potential impacts include unauthorized disclosure of file paths and metadata, which could aid attackers in further reconnaissance or targeted attacks. Altered metadata such as captions, alt text, or custom links can mislead site visitors or degrade content integrity, potentially damaging organizational reputation. While the vulnerability does not allow direct file uploads or deletions, the ability to modify metadata could be leveraged in multi-stage attacks or social engineering. Organizations relying on this plugin for content presentation are at risk of data integrity issues and unauthorized information disclosure. Since contributor-level access is relatively low privilege, the attack surface is broad in multi-user WordPress environments. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed. Overall, the vulnerability poses a moderate risk to confidentiality and integrity of website content and media assets.

Organizations should immediately audit their WordPress installations to identify if the Accordion and Accordion Slider plugin is in use and confirm the version. If the plugin is present and running version 1.4.5 or earlier, they should restrict contributor-level user permissions temporarily to trusted users only. Since no official patch is currently available, consider disabling or uninstalling the plugin until a fix is released. Alternatively, implement web application firewall (WAF) rules to monitor and block unauthorized requests targeting the vulnerable functions ('wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form'). Site administrators should also review media attachment metadata for unauthorized changes and monitor contributor activity logs for suspicious behavior. Applying the principle of least privilege by limiting contributor roles or using role management plugins to restrict access to media editing functions can reduce exposure. Regularly check for vendor updates or security advisories to apply patches promptly once available. Finally, educate content contributors about the risks and encourage reporting of any anomalies in media content.