WordPress Plugin Vulnerabilities

Lightweight Accordion < 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `lightweight-accordion` shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
lightweight-accordion
Fixed in 1.6.0

References

CVE
CVE-2025-13740
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f117f713-e2f1-4803-87f7-14b1576d823b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
1860f19f-957c-4061-9fd3-cbdc24b2a92f

Timeline

Publicly Published
2025-12-14 (about 5 months ago)
Added
2025-12-14 (about 5 months ago)
Last Updated
2025-12-15 (about 5 months ago)

Other

Published
Title
Published
2025-04-03
Title
CM Header and Footer < 1.2.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-01-24
Title
Broadstreet < 1.51.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via zone Parameter
Published
2023-09-05
Title
User Submitted Posts < 20230901 - Contributor+ Stored XSS via Shortcode
Published
2024-10-14
Title
ADIF Log Search Widget <= 1.0f - Reflected Cross-Site Scripting
Published
2023-02-21
Title
Smart Logo Showcase Lite <= 1.1.9 - Contributor+ Stored XSS