Executive Summary
A critical backdoor vulnerability (CVE-2026-6443) has been identified in version 1.4.6 of the Accordion and Accordion Slider plugin for WordPress. The plugin was sold to a malicious threat actor who embedded a backdoor across all plugins in their acquired portfolio. This supply chain compromise gives the attacker the ability to maintain persistent unauthorized access to any WordPress site running the affected version.
The vulnerability carries a CVSS score of 9.8 (Critical). Site administrators should update or remove the plugin immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6443 |
| CVSS Score | 9.8 (Critical) |
| Type | Injected Backdoor / Supply Chain Compromise |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Affected Version | 1.4.6 |
| Patch Available | Remove or replace with clean version |
Affected Versions
| Plugin | Affected Version | Recommendation |
|---|---|---|
| Accordion and Accordion Slider | 1.4.6 | Remove immediately; do not update to 1.4.6 |
Technical Analysis
Root Cause
The Accordion and Accordion Slider plugin was acquired by a malicious threat actor. Following the acquisition, the new owner published a compromised version (1.4.6) with an embedded backdoor. This tactic — purchasing popular WordPress plugins and pushing malicious updates — is a well-documented supply chain attack vector against the WordPress ecosystem.
The backdoor grants the threat actor:
- Persistent unauthorized access to any WordPress installation running version 1.4.6
- Potential for remote code execution through the injected payload
- Ability to create privileged accounts, modify site content, or deploy additional malware
Attack Flow
1. Plugin sold to threat actor on open marketplace or direct purchase
2. Threat actor injects backdoor code into version 1.4.6 release
3. Compromised version pushed to WordPress.org repository or auto-update channel
4. Site administrators update plugin (or install fresh) — backdoor activates
5. Threat actor uses backdoor to maintain persistent access, execute code, or escalate privileges
6. Access persists across site changes until backdoor code is removedScope of Impact
This style of supply chain compromise affects every site that:
- Installed the Accordion and Accordion Slider plugin version 1.4.6
- Has auto-updates enabled and updated to 1.4.6
- Cloned or deployed a site image containing 1.4.6
Impact Assessment
| Impact Area | Description |
|---|---|
| Persistent Backdoor Access | Threat actor maintains access regardless of password changes |
| Remote Code Execution | Injected payload may allow arbitrary PHP execution |
| Full Site Takeover | Attacker can modify content, install plugins, create admin accounts |
| Data Exfiltration | User PII, credentials, and site data at risk |
| Lateral Movement | Shared-hosting environments may expose neighboring sites |
| SEO Poisoning | Attacker can inject spam links or redirect traffic |
Immediate Remediation
Step 1: Identify Affected Installations
# Via WP-CLI — check installed version
wp plugin get accordion-slider --field=version
# List all active plugins and versions
wp plugin list --status=active --format=tableIf version is 1.4.6, the site is affected.
Step 2: Deactivate and Remove the Plugin
# Deactivate the plugin
wp plugin deactivate accordion-slider
# Delete the plugin entirely
wp plugin delete accordion-sliderOr via WordPress Admin: Plugins > Installed Plugins > Accordion and Accordion Slider > Deactivate > Delete.
Step 3: Audit for Post-Exploitation Activity
# Check for recently created admin accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
# Search for recently modified PHP files
find /path/to/wordpress/ -name "*.php" -newer /path/to/wordpress/wp-config.php -not -path "*/cache/*" -type f
# Check for unauthorized plugin additions
wp plugin list --status=active
# Review .htaccess for injected redirects
cat /path/to/wordpress/.htaccessStep 4: Restore Site Integrity
# Verify WordPress core file integrity
wp core verify-checksums
# Verify all active plugin file integrity
wp plugin verify-checksums --all
# Force password reset for all admin accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
# Regenerate secret keys
wp config shuffle-salts
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"Detection Indicators
| Indicator | Description |
|---|---|
| Accordion plugin version 1.4.6 present | Direct indicator of compromise |
| Unexpected PHP files in plugin directory | Post-exploitation webshell |
| New administrator accounts | Attacker-created persistence |
| Unexplained outbound HTTP requests | Backdoor calling home to C2 |
Modified wp-config.php or .htaccess | Configuration tampering |
Injected <script> tags in theme files | Malicious JavaScript injection |
Post-Remediation Checklist
- Remove version 1.4.6 of Accordion and Accordion Slider immediately
- Do not reinstall from untrusted sources — verify any replacement plugin is from a clean release
- Audit all administrator accounts — remove unauthorized entries
- Reset all admin passwords and regenerate WordPress secret keys
- Invalidate all active sessions to force re-authentication
- Scan for webshells in
wp-content/plugins/andwp-content/uploads/ - Verify WordPress core and remaining plugin checksums
- Review server access logs for evidence of backdoor exploitation
- Enable two-factor authentication on all administrator accounts
- Deploy a WAF (Wordfence, Sucuri, Cloudflare) to block further exploitation attempts
Background: Plugin Acquisition Supply Chain Attacks
The WordPress plugin ecosystem is a recurring target for supply chain attackers. The attack pattern involves:
- Identifying plugins with large install bases but inactive or motivated-to-sell maintainers
- Purchasing the plugin via brokers, direct contact, or marketplace listings
- Publishing a backdoored update that auto-pushes to all existing installations
- Leveraging the resulting access for ad injection, SEO spam, credential theft, or ransomware staging
Site owners should audit plugins after ownership transfers and consider disabling auto-updates for plugins from unfamiliar publishers.