PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7472 edmonparker CVE debrief

A time-based blind SQL injection vulnerability exists in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7). The flaw resides in the `getAllDataByLimit()` and `getAccordionAllDataByLimit()` functions within `ReadMoreData.php`, where user-supplied input via the `orderby` parameter is improperly sanitized before being concatenated into an ORDER BY clause. The code applies `esc_sql()` to the value but fails to enclose it in quotes, rendering the escaping ineffective for this context. Additionally, the input passes through `esc_attr()`—an HTML-escaping function—before reaching the database functions, providing no SQL injection protection. Because `esc_sql()` only escapes quote characters and backslashes, attackers can inject arbitrary SQL expressions directly into the ORDER BY clause. This enables time-based blind SQL injection attacks using expressions like `(SELECT SLEEP(5))` or conditional subqueries for data extraction. The vulnerability requires authentication with administrator-level privileges or access explicitly granted through the plugin's `yrm-user-roles` setting. Successful exploitation could lead to extraction of sensitive database contents, including administrator password hashes. The vulnerability was disclosed on 2026-05-20 and carries a CVSS 3.1 score of 4.9 (Medium severity).

Vendor
edmonparker
Product
Read More & Accordion
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using the Read More & Accordion plugin; security teams responsible for WordPress plugin vulnerability management; developers maintaining WordPress plugins with custom database query functions; compliance officers tracking authenticated vulnerability exposure in content management systems

Technical summary

The vulnerability stems from improper use of `esc_sql()` in an unquoted ORDER BY context. In `ReadMoreData.php`, the `getAllDataByLimit()` and `getAccordionAllDataByLimit()` functions receive user input from `$_GET['orderby']` that has only been processed through `esc_attr()`. The value is then passed to `esc_sql()` and directly concatenated into the SQL query without quotes: `ORDER BY {esc_sql($orderby)}`. Since `esc_sql()` only escapes quote characters and backslashes, and these have no special meaning in unquoted ORDER BY contexts, attackers can inject arbitrary SQL. The `prepare()` method is called after this concatenation, too late to sanitize the already-injected content. This enables time-based blind SQL injection for authenticated administrators, allowing database fingerprinting and sensitive data extraction through timing side channels.

Defensive priority

medium

Recommended defensive actions

  • Update the Read More & Accordion WordPress plugin to version 3.5.8 or later immediately
  • Review WordPress administrator accounts and audit access logs for suspicious database query patterns or unusual page load times
  • Verify that the yrm-user-roles setting restricts plugin administrative access to only necessary trusted roles
  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts in ORDER BY parameters
  • Review database query logs for suspicious patterns including SLEEP() functions or conditional subqueries in ORDER BY clauses
  • Consider implementing database activity monitoring to detect anomalous query execution times indicative of time-based blind SQL injection
  • Apply principle of least privilege to WordPress user roles, ensuring only necessary administrators have access to plugin settings

Evidence notes

Vulnerability analysis is based on the official CVE description and source code references provided by Wordfence. The root cause is confirmed through direct examination of the affected functions in `ReadMoreData.php` at lines 1522 and 1537 (tag 3.5.7), with entry points identified in `list.php` and `readMorePagesView.php` at line 29. The use of `esc_sql()` without proper quoting in ORDER BY context is a well-documented SQL injection anti-pattern. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) reflects network attack vector, low attack complexity, high privileges required, and high confidentiality impact.

Official resources

2026-05-20