The Accessiy plugin for WordPress suffers from an authorization bypass that allows authenticated users with subscriber-level access or higher to change the plugin’s global accessibility settings. This flaw is caused by an insufficient check that the caller has permission to modify settings. If exploited, the attacker can alter the appearance and behavior of the accessibility toolbar across all site visitor pages, potentially degrading user experience, violating accessibility compliance, and undermining the intended functionality of the plugin. The vulnerability is a classic example of CWE‑862: Lack of Authorization.

The affected product is the Accessiy By CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance plugin for WordPress, versions up to and including 1.0.2. Any WordPress site that has this plugin installed in those versions is susceptible. No specific operating systems or WordPress versions are singled out beyond the plugin’s own version constraint.

The CVSS base score of 4.3 places the flaw in the Medium severity range, and the EPSS indicates a very low probability of exploitation – less than 1 percent – and the vulnerability is not listed in the CISA KEV catalog. Because the attacker must first be authenticated as a subscriber or higher, the attack vector is inferred to be internal via legitimate WordPress user accounts, most likely through Ajax calls that set configuration values. While the flaw does not allow remote code execution or elevate privileges beyond the existing role, it does enable the attacker to tamper with site‑wide settings that could be leveraged for phishing or obfuscating malicious content, especially if used in combination with other weaknesses.