Security Alert Summary
The Simple Wp colorfull Accordion plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the title parameter of the accordion shortcode. Authenticated users with Contributor-level access and above can inject script payloads that will execute when a page containing the injected shortcode is viewed.
CVE Details
- CVE ID:
CVE-2026-1904 - Affected component: Simple Wp colorfull Accordion plugin for WordPress
- Affected versions: All versions up to, and including, 1.0
- Published: February 14, 2026 at 05:16:19 AM UTC
- Last modified: February 14, 2026 at 05:16:19 AM UTC
- CVSS v3.1 base score: 6.4 — MEDIUM
- CVSS vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / privileges / user interaction: Privileges Required: Low (authenticated, e.g., Contributor-level); User Interaction: None
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE / weakness: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue introduced by insufficient input sanitization and missing output escaping for the title parameter of the plugin’s accordion shortcode. Because the plugin stores and later renders the provided title value without adequate sanitization/escaping, an authenticated user with the required privileges can inject arbitrary JavaScript into pages that include the shortcode. The injected script will execute in the browsers of users who view the page containing the malicious shortcode.
The description identifies the vulnerable parameter (title) and the affected shortcode (accordion) as the source of the stored XSS. The impact is limited by the privileges required to supply the payload (Contributor-level or higher), and the CVSS vector indicates no user interaction is required for the exploit to execute once a victim loads the affected page.
How This Could Impact Your Website
In a typical small business WordPress site, a site owner may allow internal staff or external contractors to contribute content. If a contributor account is used to add or edit content that includes the vulnerable accordion shortcode, a malicious actor could embed a script in the title field. When other users (editors, administrators, or site visitors with access to the page) view that page, the script can run in their browsers. Practical consequences can include limited disclosure of information accessible in the browser context (consistent with the CVSS confidentiality impact) and unauthorized modification or injection of displayed content (consistent with the CVSS integrity impact).
Because availability impact is reported as none, this issue does not indicate direct denial-of-service. However, successful XSS can increase the risk of targeted phishing or social engineering by allowing attackers to display deceptive content to users or harvest session-related data. professional review may be worth pursuing if you’re unsure whether your site is affected or how to assess your current user roles and plugins.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
- Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that can submit content.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and content changes for unusual behavior, especially edits that include shortcodes or HTML input from contributors.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/tags/1.0/Simple-Wp-colorfull-Accordion.php#L60
- https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/trunk/Simple-Wp-colorfull-Accordion.php#L60
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8444743c-ba57-4a51-990c-eb9058829d09?source=cve