WordPress Accordions Plugin <=2.3.23 Stored XSS via Accordion Body
CVE-2026-10862 Published on June 9, 2026
Accordions <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field
The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Timeline
Discovered
Vendor Notified 64 days later.
Disclosed 4 days later.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-10862 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-10862
Want to know whenever a new CVE is published for Pickplugins Accordion? stack.watch will email you.
Affected Versions
pickplugins Accordions:- Before and including 2.3.23 is affected.