CVE-2023-5666 in Accordion Plugin
Summary
by MITRE • 10/30/2023
The Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcpaccordion' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5666 affects the Accordion plugin for WordPress, a widely used content management system component that enables users to create interactive accordion sections on websites. This particular flaw exists within the plugin's tcpaccordion shortcode implementation and impacts all versions up to and including 2.6, representing a significant security risk for WordPress installations that utilize this plugin. The vulnerability stems from inadequate input validation and output escaping mechanisms that fail to properly sanitize user-supplied attributes before processing them within the shortcode functionality.
The technical nature of this vulnerability classifies it as a stored cross-site scripting flaw, which operates through the manipulation of user-supplied attributes within the tcpaccordion shortcode. When authenticated attackers with contributor-level permissions or higher submit malicious input through the plugin's interface, the system fails to adequately sanitize these inputs before storing them within the WordPress database. This stored malicious content then executes whenever any user accesses a page containing the injected shortcode, creating a persistent threat vector that can affect multiple users without requiring them to perform any additional actions. The vulnerability specifically targets the plugin's handling of shortcode attributes, where user-provided data flows directly into the page rendering process without proper sanitization or escaping mechanisms.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including credential theft, session hijacking, and redirection to malicious websites. Since the vulnerability requires only contributor-level permissions, it represents a significant risk for WordPress sites where multiple users have varying permission levels, as attackers can exploit this weakness without needing administrator privileges. The stored nature of the XSS means that the malicious scripts remain active until manually removed from the database, potentially affecting all users who view pages containing the compromised accordion elements. This vulnerability also aligns with attack patterns documented in the ATT&CK framework under the T1566 technique for Phishing and T1059 for Command and Scripting Interpreter, as it enables attackers to deliver malicious payloads through legitimate website interfaces.
The security implications of CVE-2023-5666 can be further understood through the lens of CWE classification, specifically CWE-79 which addresses Cross-Site Scripting vulnerabilities, and CWE-20 which addresses Improper Input Validation. The vulnerability demonstrates a failure in the principle of least privilege and proper data sanitization, as the plugin does not adequately validate or escape user inputs before incorporating them into the output generation process. Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest plugin version where available, implementing additional input validation measures, and monitoring for any suspicious activity within the WordPress admin interface. The vulnerability also highlights the importance of proper security testing and code review practices, particularly for plugins that handle user-supplied content through shortcodes and other dynamic content generation mechanisms.