CVE-2026-24629

Vulnerability

Description

The Web Accessibility with Max Access plugin for WordPress (by Ability, Inc) suffers from a stored cross-site scripting (XSS) vulnerability in versions up to and including 2.1.0. The root cause is improper neutralization of user-supplied input during web page generation [1]. This allows an authenticated user with elevated privileges (e.g., an administrator or similar role) to inject arbitrary HTML and JavaScript code into the accessibility-toolbar functionality.

Exploitation

Conditions

To exploit this vulnerability, an attacker must have legitimate access to the WordPress admin area with sufficient permissions to modify the plugin's settings or content. The attack does not require direct user interaction for the initial injection, but successful execution of the injected script depends on a site visitor or administrator triggering the affected page (e.g., by viewing the toolbar or a page containing the injected payload) [1]. This type of vulnerability is often targeted in mass-exploit campaigns, where attackers automate the abuse of thousands of sites simultaneously.

Impact

An attacker can inject malicious scripts that run in the browser of any user who visits a page containing the stored payload. This can be used to redirect visitors to malicious websites, display unauthorized advertisements, steal session cookies, or perform other client-side attacks [1]. The CVSS v3 base score is 5.9 (Medium), reflecting the need for authenticated access but the potential for broad impact on site visitors.

Mitigation

The vendor recommends updating the plugin to a version newer than 2.1.0 as soon as possible. For sites that cannot be updated immediately, administrators should restrict plugin editing privileges to trusted users only and consider using a web application firewall to help block XSS payloads [1]. No official workaround has been provided beyond removal or upgrade.