WordPress Read More & Accordion Plugin: Privilege Escalation (CVE-2026-7467)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-269
WordPress Read More & Accordion Plugin: Privilege Escalation (CVE-2026-7467)

The Read More & Accordion plugin for WordPress, in versions up to and including 3.5.7, is vulnerable to privilege escalation. The National Vulnerability Database reports that this flaw, tracked as CVE-2026-7467, stems from the RadMoreAjax::importData function failing to restrict database table writes and improperly validating imported data. This is a critical design flaw.

This vulnerability allows authenticated attackers, if granted initial permission via the plugin’s role settings, to inject arbitrary rows into the wp_users and wp_usermeta tables. Specifically, they can manipulate the wp_capabilities field, effectively creating a new administrator account. The result is full administrative access to the compromised WordPress site.

With a CVSS score of 8.8 (High), this isn’t just a theoretical issue. It’s a direct path to total site takeover for an attacker who already has basic access. Defenders need to understand that this isn’t about exploiting a complex buffer overflow; it’s about abusing a poorly implemented import function to bypass WordPress’s core access controls. The attacker’s calculus here is straightforward: gain a low-privilege account, then escalate to admin with minimal effort.

What This Means For You

  • If your organization uses WordPress with the Read More & Accordion plugin, immediately identify its version. Any version up to 3.5.7 is vulnerable to CVE-2026-7467. Patch or disable this plugin without delay. Audit your WordPress user logs for any suspicious new administrator accounts or privilege changes, especially if the plugin was enabled.

Related ATT&CK Techniques

T1078.004 Abuse of Existing Service: Web Service Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control Privilege Escalation T1078.001 Abuse of Existing Service: Default Accounts Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.001 Persistence

WordPress Read More & Accordion Plugin Privilege Escalation - CVE-2026-7467

Sigma YAML — free preview 
title: WordPress Read More & Accordion Plugin Privilege Escalation - CVE-2026-7467
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
  Detects the specific AJAX action used by the vulnerable Read More & Accordion plugin to import data. This rule specifically looks for the 'radmore_ajax' action being called via 'admin-ajax.php' and indicators of the 'wp_users' and 'wp_usermeta' tables being targeted in the request, which is characteristic of the privilege escalation exploit for CVE-2026-7467.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7467/
tags:
  - attack.persistence
  - attack.t1078.001
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'action=radmore_ajax'
      sc-status:
          - '200'
  selection_indicators:
      referer|contains:
          - 'wp_users'
      uri|contains:
          - 'wp_usermeta'
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7467 Privilege Escalation WordPress plugin: Read More & Accordion, all versions up to and including 3.5.7
CVE-2026-7467 Privilege Escalation Vulnerable function: RadMoreAjax::importData
CVE-2026-7467 Privilege Escalation Affected database tables: wp_users, wp_usermeta (specifically wp_capabilities field)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 05:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma