CVE-2025-66112

The Accessibility Toolkit by WebYes plugin (accessibility-plus) for WordPress, versions up to and including 2.0.4, suffers from a missing authorization vulnerability. This broken access control issue means that certain functions within the plugin do not properly verify permissions, allowing unauthorized actions to be performed [1].

Attackers can exploit this flaw by sending crafted HTTP requests to the plugin, potentially without requiring any authentication. The vulnerability is considered suitable for mass-exploitation campaigns, where attackers target thousands of websites regardless of their size or popularity [1].

Successful exploitation could allow an unprivileged attacker to execute actions normally reserved for higher-privileged users, such as modifying settings or accessing restricted data. Despite this, the vendor assesses the impact as low severity and considers exploitation unlikely [1].

To mitigate, users should update the plugin to version 2.0.5 or later. Enabling automatic updates for vulnerable plugins is recommended. If an immediate update is not possible, seeking assistance from a hosting provider or web developer is advised [1].