Description
The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.
Published: 2025-12-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized page creation via missing authorization checks
Action: Immediate Patch
AI Analysis

Impact

The Accessiy By CodeConfig Accessibility plugin for WordPress contains a missing capability check in the Settings::createPage() function, allowing authenticated attackers with Subscriber-level privileges or higher to create arbitrary published pages through the ccpcaCreatePage AJAX action. This represents a Missing Authorization weakness (CWE‑862). By creating pages without authorization, an attacker can host malicious content such as phishing pages, inject spam, or otherwise alter the site’s public-facing structure, compromising integrity and potentially leading to defacement or credential theft.

Affected Systems

Any WordPress site that has installed the Accessiy By CodeConfig Accessibility plugin version 1.0.0 or earlier. The vendor is CodeConfig and the affected product is the Accessibility Widgets plugin, affecting sites that run WordPress with this plugin active.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating medium severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation at this time, and it is not listed in CISA’s KEV catalog. The attack vector requires an authenticated session with Subscriber-level access or higher; the attacker can exploit the exposed AJAX endpoint, ccpcacreatePage, to create pages. In practice, if an attacker can log in to the WordPress installation, they can leverage this capability to inject arbitrary content, raising risks to site integrity and user trust.

Generated by OpenCVE AI on April 21, 2026 at 01:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Accessiy plugin to the latest available version, which includes the authorization checks in Settings::createPage();
  • If an upgrade is not immediately possible, disable or remove the ccpcacreatePage AJAX action or restrict it to administrators by adding a capability check;
  • Audit the site for any pages that may have been created without proper authorization and delete or remediate those pages.

Generated by OpenCVE AI on April 21, 2026 at 01:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 09 Dec 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 08 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.
Title Accessiy By CodeConfig Accessibility <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:35:06.323Z

Reserved: 2025-11-18T15:51:31.791Z

Link: CVE-2025-13358

cve-icon Vulnrichment

Updated: 2025-12-08T21:28:16.325Z

cve-icon NVD

Status : Deferred

Published: 2025-12-06T06:15:51.580

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses