CVE-2026-6443

CRITICAL

Accordion and Accordion Slider 1.4.6 - Injected Backdoor

Title source: cna

Description

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

References (2)

https://www.wordfence.com/threat-intel/vulnerabilities/id/2597724a-9a39-4e46-b153-f42366f833ba?source=cve

https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-506

Status published

Products (22)

essentialplugin/Accordion and Accordion Slider 1.4.6

essentialplugin/Album and Image Gallery Plus Lightbox 2.1.8

essentialplugin/Blog Designer – Post and Widget 2.7.7

essentialplugin/Countdown Timer Ultimate 2.6.9

essentialplugin/Featured Post Creative 1.5.7

essentialplugin/Meta Slider and Carousel with Lightbox 2.0.8

essentialplugin/Popup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions 2.9.1

essentialplugin/Portfolio and Projects 1.5.6

essentialplugin/Post grid and filter ultimate 1.7.4

essentialplugin/Post Ticker Ultimate 1.7.6

... and 12 more

Published Apr 17, 2026

Tracked Since Apr 17, 2026