Description
The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-10-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Request Forgery that allows unauthenticated users to alter plugin settings and create verification files
Action: Patch Immediately
AI Analysis

Impact

The Web Accessibility By accessiBe WordPress plugin suffers a CSRF flaw in versions 2.10 and earlier due to the omission of nonce validation on several AJAX endpoints such as accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. Because the requests can be forged without user credentials, an attacker can cause a site administrator to execute actions that change plugin configuration or add verification files with unauthorized content. This directly compromises the integrity of the plugin settings and could be leveraged to introduce malicious code into the site. The weakness is a traditional Cross‑Site Request Forgery (CWE‑352).

Affected Systems

The affected system is the accessiBe Web Accessibility plugin for WordPress, inclusively all releases up to and including version 2.10. Users running these versions should review their installations to confirm the plugin version and ensure they are not using the compromised code. No other WordPress core or plugin components are reported to be impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw requires no authentication, but it does rely on an administrator clicking a forged link or button, making attackers typically employ social engineering or phishing to trigger the vulnerable AJAX requests. While the vulnerability is not yet listed in CISA’s KEV catalog, the potential for undetected exploitation remains. Organizations should consider the risk especially if they rely heavily on the accessiBe plugin for website accessibility compliance.

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the accessiBe Web Accessibility plugin to a version newer than 2.10, ensuring the blocked CSRF flaw is removed.
  • If an immediate update is not feasible, restrict the vulnerable AJAX endpoints by adding nonce checks or limiting access to authenticated administrators only—this can be achieved with custom code or a suitable WordPress security plugin that enforces request validation.
  • Implement a web application firewall or security plugin that monitors and blocks suspicious POST requests to the AJAX actions listed above, reducing the likelihood that forged requests reach the server.

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Web Accessibility By accessiBe <= 2.10 - Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:26.514Z

Reserved: 2025-09-12T15:42:42.324Z

Link: CVE-2025-10375

cve-icon Vulnrichment

Updated: 2025-10-14T18:31:54.089Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:42.310

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses