CVE-2025-58678

Vulnerability

Overview The Accordion plugin for WordPress, developed by PickPlugins, suffers from a broken access control vulnerability in versions through 2.3.15. The issue is classified as a missing authorization or authentication check, meaning certain functions or endpoints do not verify that the requesting user has the necessary privileges to perform the action [1]. This type of flaw is common in plugins that lack nonce tokens or capability checks on administrative or sensitive operations.

Attack

Vector An attacker can exploit this vulnerability without needing any prior authentication or elevated permissions. Because the access control is either missing or incorrectly configured, an unprivileged user—or even an unauthenticated visitor—can invoke functions that should only be available to administrators or users with specific roles. The attack surface is wide, as the plugin is installed on many WordPress sites, and this vulnerability has been observed in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation allows an attacker to perform higher-privileged actions, such as modifying plugin settings, injecting malicious content, or otherwise compromising the site's integrity and confidentiality. The CVSS v3 base score of 6.5 indicates a medium severity, reflecting the potential for significant impact without requiring complex attack prerequisites.

Mitigation

The vendor has released version 2.3.16 which patches the vulnerability by properly implementing access control checks. Users are strongly advised to update to 2.3.16 or later immediately. For those using Patchstack, auto-update can be enabled to protect vulnerable plugins automatically [1]. No workarounds are documented beyond updating.