CVE-2025-58976

Vulnerability

Overview The Accessibility Checker by Equalize Digital plugin for WordPress, versions up to and including 1.31.0, contains a missing authorization vulnerability. This is a broken access control issue where the plugin fails to properly verify permissions or nonce tokens in certain functions, allowing users with lower privileges to perform actions intended for higher-privileged users [1].

Exploitation

An attacker who is already authenticated as a low-privileged user (e.g., subscriber or contributor) can exploit this flaw by sending crafted requests to the vulnerable endpoints. No additional authentication is required beyond a valid WordPress user account. The attack surface is the plugin's administrative functions that lack proper capability checks [1].\.

Impact

Successful exploitation enables an attacker to escalate their privileges, potentially gaining access to settings or data that should be restricted to administrators. This could lead to This could lead to unauthorized modification of accessibility checker configurations or other sensitive operations within the WordPress installation.

Mitigation

The vendor has released version 1.31.1 which addresses the vulnerability. Users are strongly advised to update immediately. For those unable to update, disabling the plugin or implementing a web application firewall rule may provide temporary protection. This vulnerability is listed in Patchstack's database and is considered low severity, but it is part of mass-exploit campaigns targeting WordPress sites [1].