CVE-2025-58024: UnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
UnboundStudio's Accordion FAQ plugin contains a vulnerability that allows authenticated users to include and execute arbitrary local files on the server. An attacker with login credentials could potentially read sensitive files or execute malicious code by manipulating how the plugin handles file inclusion requests. This is a local file inclusion (LFI) issue, not a remote file inclusion despite the CWE classification, meaning attackers must have valid user access to exploit it.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnboundStudio Accordion FAQ allows PHP Local File Inclusion. This issue affects Accordion FAQ: from n/a through 2.2.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-58024 is a PHP Local File Inclusion vulnerability stemming from improper input validation in the Accordion FAQ plugin's file inclusion mechanism. The vulnerability maps to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Affected versions run from the earliest release through version 2.2.1. An authenticated user can manipulate filename parameters passed to PHP include or require statements, allowing traversal to arbitrary locations on the server filesystem and execution of code within the PHP context. The CVSS 3.1 score of 7.5 reflects high confidentiality and integrity impact with the requirement of authenticated access and non-trivial attack complexity.
Business impact
This vulnerability poses a significant insider threat and compromised-credential risk. An attacker with valid user account credentials—obtained through phishing, credential theft, or employee compromise—could access confidential data stored on the server, modify site content, or plant webshells for persistent access. Organizations relying on Accordion FAQ for content delivery face potential data exfiltration, defacement, and lateral movement into backend systems. The vulnerability is particularly dangerous in multi-tenant or shared hosting environments where file paths may be predictable.
Affected systems
UnboundStudio Accordion FAQ plugin versions from initial release through 2.2.1 are affected. The plugin is commonly used in WordPress and PHP-based content management systems for FAQ display. Any deployment using Accordion FAQ in this version range, combined with user authentication enabled, is vulnerable. Check your installed plugin version via the admin panel or plugin file headers.
Exploitability
Exploitation requires valid user credentials to access the plugin's functions. The attack complexity is rated as high, indicating that successful exploitation demands knowledge of server filesystem structure or common file paths (such as /etc/passwd on Linux or configuration files). However, once a user account is compromised or an insider acts maliciously, the barrier to exploitation is relatively low. No public exploit code is known to be in widespread circulation, but the vulnerability is straightforward to weaponize once discovered.
Remediation
Update Accordion FAQ to a patched version released after 2.2.1. Verify the exact patch version against UnboundStudio's official security advisory or plugin repository. As an interim control pending patching, restrict user role capabilities to prevent untrusted users from accessing plugin settings, implement file integrity monitoring on the server, and audit user account activity for suspicious file access patterns.
Patch guidance
Check UnboundStudio's official advisory or the WordPress plugin repository for the patched version number. Apply the update through your plugin management interface immediately after testing in a staging environment. Ensure all administrative accounts are secured with strong, unique passwords and multi-factor authentication to reduce the risk of credential compromise. Verify the update was successful by confirming the plugin version in the admin panel.
Detection guidance
Monitor web server and PHP logs for unusual include/require statements targeting files outside the plugin's expected directory (e.g., attempts to include /etc/passwd, /proc/self/environ, or ../../../ path traversal patterns). Look for POST or GET requests to the plugin with suspicious filename parameters. Audit user login sessions around the time of the vulnerability's publication; cross-reference with file access logs for anomalous activity. Enable detailed PHP error logging to capture failed or successful file inclusion attempts.
Why prioritize this
Although this vulnerability requires authentication, the HIGH CVSS score (7.5) and potential for data exfiltration and code execution warrant immediate prioritization. Compromised credentials are common in breach chains, making this a realistic attack vector. The widespread use of WordPress and FAQ plugins increases the attack surface. Organizations should treat this as a priority remediation within 1–2 weeks, especially if user roles beyond administrators are permitted to manage FAQ content.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects: (1) High confidentiality impact—attackers can read arbitrary files from the server, (2) High integrity impact—ability to execute code and modify system state, (3) High availability impact—potential for denial of service through resource exhaustion, (4) Network accessibility—the plugin is reachable over the network, (5) Authentication requirement—reduces score from critical but does not eliminate threat given credential compromise prevalence, and (6) High attack complexity—requires knowledge of filesystem paths or trial-and-error, but not prohibitively difficult for a determined attacker.
Frequently asked questions
Does this vulnerability allow unauthenticated remote code execution?
No. The vulnerability requires valid user credentials to exploit. It is a local file inclusion (LFI) issue accessible only to authenticated users, not a remote file inclusion (RFI) that works without login. However, if user credentials are compromised—through phishing, weak passwords, or insider threat—the attack becomes viable.
How do I know if my site is running a vulnerable version of Accordion FAQ?
Log into your WordPress admin panel, navigate to Plugins, and locate Accordion FAQ. The plugin details page displays the installed version number. Compare it to version 2.2.1; if your version is 2.2.1 or earlier, you are vulnerable. You can also check the plugin folder directly in wp-content/plugins/accordion-faq/ for a version.php or readme.txt file.
What files are most at risk of being included by an attacker?
Attackers typically target configuration files (wp-config.php, database credentials), system files (/etc/passwd on Linux), PHP log files, and other plugins' files to chain attacks. In WordPress environments, they may also attempt to include the wp-db.php file to extract database connection strings or admin user data. The exact risk depends on file permissions and the attacker's knowledge of the server layout.
Is there a temporary workaround if I cannot patch immediately?
Yes, implement interim controls: (1) Restrict the 'manage_options' or equivalent capability so only trusted administrators can edit FAQ settings, (2) Disable user registration if it is not essential, (3) Monitor file access logs for anomalies, (4) Use Web Application Firewall (WAF) rules to block requests containing path traversal sequences (../) to the plugin's endpoints. However, these are not substitutes for patching; prioritize the update.
This analysis is based on the CVE record and public data available as of the publication date. Verify all remediation steps, patch versions, and vendor guidance against UnboundStudio's official security advisory. This vulnerability requires authentication; security teams should still prioritize it given the prevalence of credential compromise. No exploit code or proof-of-concept is provided. Conduct testing in a staging environment before applying patches to production systems. If you operate Accordion FAQ in a production environment, coordinate with your development and hosting teams immediately. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php
- CVE-2026-39552HIGHPHP Local File Inclusion in Code Supply Co. Blueprint – Patch Guidance