VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 28, 2026

CVE-2026-9015

CVE-2026-9015

Description

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Accessibility Checker plugin up to 1.42.0 lets authenticated subscribers modify the ignore state of any accessibility issue, corrupting audit integrity.

Vulnerability

The Equalize Digital Accessibility Checker plugin for WordPress fails to properly verify user authorization when processing requests to modify the ignore state, ignore reason, and ignore comment of accessibility issues. This affects all versions up to and including 1.42.0. The vulnerability exists in the REST API and AJAX endpoints that handle these modifications (as seen in the enqueue-admin.php files [1][2] and the class-ajax.php handler [3][4]), where no capability check is performed before updating the database. As a result, any authenticated user with subscriber-level access or higher can manipulate the ignore status of any issue across the entire site.

Exploitation

An attacker needs a valid WordPress account with at least the subscriber role. They can send crafted HTTP requests to the plugin's REST API (e.g., /accessibility-checker/v1/...) or AJAX actions, supplying parameters such as the issue ID, new ignore state, reason, comment, and optionally largeBatch=true. When largeBatch=true is provided, the plugin modifies all rows sharing the same object identifier, enabling mass dismissal of findings. The attacker must include a valid REST nonce (wp_rest) which is available to any authenticated user via the localized script variables [1][2].

Impact

Successful exploitation allows an attacker to hide or dismiss accessibility audit findings arbitrarily, corrupting the integrity of the audit data. This can conceal non-compliance with WCAG, ADA, EAA, or Section 508 standards from administrators, potentially leading to legal or regulatory penalties. The attacker does not gain code execution or access to sensitive data, but the audit trail is compromised.

Mitigation

As of the publication date (2026-05-28), no patched version has been released. Users should update to version 1.43.0 or later once available. As a temporary workaround, administrators can restrict subscriber-level access or disable the plugin until a fix is applied. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-enqueue-admin.php#L89
  2. https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-enqueue-admin.php#L89
  3. https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L814
  4. https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L856

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization verification in the REST API endpoint allows any authenticated user to modify the ignore state of arbitrary accessibility issues."

Attack vector

An authenticated attacker with subscriber-level access or above can send crafted REST API requests to the plugin's `/accessibility-checker/v1` endpoints. The plugin fails to verify that the user has proper authorization to modify the ignore state, ignore reason, or ignore comment of accessibility issues. By supplying `largeBatch=true`, the attacker can mass-modify all rows sharing an 'object' identifier across the entire site, corrupting audit integrity by hiding or dismissing findings outside their authorization scope [ref_id=1][ref_id=2].

Affected code

The vulnerability resides in the REST API endpoint handling issue dismissal/ignoring within the Accessibility Checker plugin. The provided references show the enqueue-admin.php file (versions 1.38.0 and 1.41.0) which sets up REST API routes and nonces, but the actual authorization check failure is in the server-side REST controller that processes `dismiss_issue` or similar endpoints — that controller code is not shown in the supplied bundle.

What the fix does

No patch is included in the supplied bundle. The advisory states that all versions up to and including 1.42.0 are affected. The remediation would require the plugin to add proper capability checks (e.g., `current_user_can()`) on the server-side REST controller before processing any issue dismissal or ignore-modification requests, ensuring that only authorized users can modify accessibility findings.

Preconditions

  • authAttacker must have an authenticated WordPress account with at least subscriber-level access
  • configThe Accessibility Checker plugin must be installed and active
  • networkAttacker must be able to send REST API requests to the WordPress installation

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.