Accordion < 2.3.16 – Missing Authorization | CVE 2025-58678 | Plugin Vulnerabilities

Description

The Accordion – AI FAQ, Accordion, Tabs, Image Accordion, Product FAQ, FAQ Builder, FAQ Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_post_data() function in all versions up to, and including, 2.3.15. This makes it possible for authenticated attackers, with Contributor-level access and above, to retrieve post data.

Affects Plugins

Fixed in 2.3.16

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ca04a041-6614-420b-a7c5-65128202d713

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abu Hurayra

Verified

No

WPVDB ID

74f34960-d66c-4cfa-b3cc-0503b1622c2c

Timeline

Publicly Published

2025-09-22 (about 8 months ago)

Added

2025-09-26 (about 7 months ago)

Last Updated

2025-09-26 (about 7 months ago)

Other

Published

Title

Published

2024-01-31

Title

PilotPress < 2.0.31 - Subscriber+ Report Access & DB Transients Purging

Published

2024-11-12

Title

Hide Links <= 1.4.2 - Unauthenticated Shortcode Execution

Published

2024-09-25

Title

Wheel of Life < 1.1.9 - Missing Authorization

Published

2024-12-19

Title

Userpro <= 5.1.9 - Missing Authorization

Published

2026-04-16

Title

Payment Gateway for Redsys & WooCommerce Lite < 7.0.1 - Missing Authorization