Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via 'largeBatch' Parameter

An authenticated attacker with at least Author-level access crafts a POST request to `/dismiss-issue/{issue_id}` where `issue_id` belongs to a post they can edit. By including `largeBatch=true` in the request body, the handler bypasses per-post authorization and applies the dismiss/ignore/restore action to every issue across the site that shares the same `object` value, including issues on administrator-owned posts [ref_id=1]. The permission callback only checks `current_user_can('edit_post', $post_id)` for the single issue's post, so the attacker's own post serves as a valid authorization token for the entire batch operation.

The vulnerability resides in the `/dismiss-issue/(?P\d+)` REST route registered in `class-rest-api.php` around line 1247. The `permission_callback` only verifies that the attacker can edit the post associated with the supplied `issue_id`, but the `dismiss_issue` callback (not shown in the excerpt) accepts a `largeBatch=true` parameter that causes it to bulk-modify all issues sharing the same `object` value across the entire site without re-checking permissions for those other posts.

The patch is not included in the bundle, but the advisory indicates that the fix must ensure the `dismiss_issue` handler verifies the user can edit every post affected by a batch operation, or remove the `largeBatch` parameter entirely. Without a patch diff, the remediation guidance is to restrict the batch-dismiss functionality so that it only operates on issues belonging to posts the current user is authorized to edit, preventing privilege escalation via the `largeBatch` flag.