Security Alert Summary
The Lightweight Accordion plugin for WordPress contains a stored Cross-Site Scripting (XSS) vulnerability in its lightweight-accordion shortcode. Insufficient input sanitization and output escaping of user-supplied attributes allow authenticated users with contributor-level access and above to inject JavaScript that will execute when a page containing the injected shortcode is viewed.
CVE Details
- CVE ID: CVE-2025-13740
- Affected component: Lightweight Accordion plugin for WordPress
- Affected versions: All versions up to and including 1.5.20
- Published: December 15, 2025 at 4:15 AM UTC
- Last modified: December 15, 2025 at 6:22 PM UTC
- CVSS v3.1: Base Score 6.4, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Requires an authenticated user; description states attackers need contributor-level access or above. CVSS indicates Privileges Required: LOW, User Interaction: NONE, Attack Vector: NETWORK, Attack Complexity: LOW, Scope: CHANGED.
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)
Technical Details
The plugin’s lightweight-accordion shortcode fails to properly sanitize and escape user-supplied attributes before rendering them. Because those attributes are stored and then output into pages, an authenticated user with contributor-level access or higher can supply payloads that are stored in the database and delivered to other users viewing the affected page. The vulnerability is classified as stored (persistent) Cross-Site Scripting (XSS), allowing injected scripts to run in the context of the site and the viewer’s browser when the page is loaded.
The description specifically attributes the issue to “insufficient input sanitization and output escaping on user supplied attributes.” No specific function names or REST endpoints are named in the CVE entry beyond the shortcode itself.
How This Could Impact Your Website
Consider a multi-user site with a site owner, internal staff (editors or authors), and external contributors. If a contributor can add or edit content that uses the vulnerable lightweight-accordion shortcode, they may embed JavaScript that executes when other users, including editors or administrators, view the affected page. Practical consequences include exposure of data accessible in the victim’s browser session (such as profile information or email addresses visible within the page), and an increased risk of targeted phishing or social engineering campaigns against staff or contractors based on harvested details.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles, especially contributor-level accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and page content for unusual or unexpected code and behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
