CVE-2026-7472— Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated—unquoted—into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

WordPress plugin Read More & Accordion SQL注入漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Read More & Accordion 3.5.7及之前版本存在SQL注入漏洞，该漏洞源于orderby参数使用esc_sql但未在ORDER BY子句中加引号，可能导致经身份验证的攻击者进行基于时间盲SQL注入

N/A

N/A