Vulnerabilities and Security Researches

Vulnerabilities and security researches forexpand-maker expand-maker

Direction: ascending

Jun 07, 2024

Read More & Accordion and popups # CVE-2023-3392

CVE, Research URL: CVE-2023-3392
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: Oct 16, 2023
Research Description: The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
Affected versions: max 3.2.7.
Status: vulnerable

Feb 15, 2025

Read More & Accordion and popups # CVE-2024-13639

CVE, Research URL: CVE-2024-13639
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: Feb 13, 2025
Research Description: The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.
Affected versions: max 3.4.3.
Status: vulnerable

Apr 05, 2025

Read More & Accordion and popups # CVE-2025-0810

CVE, Research URL: CVE-2025-0810
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: Apr 05, 2025
Research Description: The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.7. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 3.4.8.
Status: vulnerable

Jan 11, 2026

Read More & Accordion and popups # CVE-2025-64247

CVE, Research URL: CVE-2025-64247
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: Dec 16, 2025
Research Description: Missing Authorization vulnerability in edmon.parker Read More & Accordion expand-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Read More & Accordion: from n/a through <= 3.5.4.1.
Affected versions: max 3.5.4.1.
Status: vulnerable

May 22, 2026

Read More & Accordion and popups # CVE-2026-7472

CVE, Research URL: CVE-2026-7472
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: May 20, 2026
Research Description: The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated—unquoted—into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes.
Affected versions: max 3.5.7.
Status: vulnerable

Read More & Accordion and popups # CVE-2026-7467

CVE, Research URL: CVE-2026-7467
Home page URL: Security reports for Read More & Accordion and popups
Application: Read More & Accordion and popups
Date: May 20, 2026
Research Description: The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin's role settings, to insert arbitrary rows into the 'wp_users' and 'wp_usermeta' tables, including the 'wp_capabilities' field, allowing them to create a new administrator account and gain administrator access to the site.
Affected versions: max 3.5.7.
Status: vulnerable