Injected backdoor in WordPress plugin enables persistent compromise
TL;DR — A compromised WordPress plugin release (Accordion and Accordion Slider v1.4.6) contains embedded malicious code, turning routine plugin updates into a persistence and spam-injection path for affected sites.
What happened
Accordion and Accordion Slider is a WordPress plugin that adds accordion/slider UI components to sites.
CVE-2026-6443 describes an injected backdoor in version 1.4.6, attributed to the plugin being sold to a malicious threat actor who embedded a backdoor across acquired plugins. The CVE states this enables the actor to maintain a persistent backdoor and inject spam into affected sites.
Severity is CVSS v3.1 9.8 (Critical) with a network attack vector and no privileges required. This is operationally high-risk because it abuses the WordPress plugin supply chain: the update channel becomes the initial access vector, and the blast radius is “every site that installed the compromised build.”
Who is impacted
- WordPress sites running
Accordion and Accordion Sliderversion1.4.6. - Teams that vendor, mirror, or bake WordPress plugins into deployment artifacts (e.g., container images, AMIs, golden backups) where
1.4.6may be present even if later removed upstream.
What to do now
- Follow vendor / maintainer remediation guidance referenced by the CVE record (see the CNA references in the CVE JSON).
- Identify where
accordion-and-accordion-slideris installed and determine whether any environment is running1.4.6(production, staging, and “forgotten” sites). - Treat this as a potential compromise rather than a “patch later” bug: verify site integrity (plugin files,
wp-config.php, MU-plugins, scheduled tasks/cron hooks) and rotate credentials reachable by the WordPress process per your incident response playbooks. - Audit your plugin supply chain controls: restrict who can install/update plugins, require provenance review for plugin owner changes, and prefer controlled update pipelines (staging promotion, checksums, allowlists) for high-impact sites.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.