Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox wa11y allows Stored XSS.This issue affects wA11y – The Web Accessibility Toolbox: from n/a through <= 1.0.3.
Published: 2025-03-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wA11y – The Web Accessibility Toolbox plugin accepts user input that is not sanitized and stores it for later display on web pages, enabling a malicious actor to embed persistent JavaScript. When visitors load the affected content, the injected script runs in their browsers, which can lead to credential theft, site defacement, or redirection to malicious sites. This flaw is a CWE‑79 type vulnerability.

Affected Systems

All releases of the WordPress plugin Rachel Cherry wA11y – The Web Accessibility Toolbox through version 1.0.3, including any older or default installations, are affected.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity. The EPSS score of less than 1% suggests attacks are rare at present, and the weakness is not listed in the CISA KEV catalog. An attacker would need to create or edit plugin content, which typically requires administrative or privileged user access, to inject persistent payloads. No publicly documented exploits have been reported as of the latest information.

Generated by OpenCVE AI on May 2, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wA11y plugin to the latest available version that removes the stored XSS flaw.
  • If an update cannot be performed immediately, deactivate or uninstall the wA11y plugin to eliminate the attack surface.
  • Restrict editing of wA11y content to trusted administrators and disable guest or anonymous content creation to reduce risk.
  • Continuously monitor the plugin’s release notes and vendor advisories for security patches or additional mitigation guidance.

Generated by OpenCVE AI on May 2, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7909 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox allows Stored XSS. This issue affects wA11y – The Web Accessibility Toolbox: from n/a through 1.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox allows Stored XSS. This issue affects wA11y – The Web Accessibility Toolbox: from n/a through 1.0.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox wa11y allows Stored XSS.This issue affects wA11y – The Web Accessibility Toolbox: from n/a through <= 1.0.3.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Mar 2025 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox allows Stored XSS. This issue affects wA11y – The Web Accessibility Toolbox: from n/a through 1.0.3.
Title WordPress wA11y – The Web Accessibility Toolbox plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:55.909Z

Reserved: 2025-03-24T13:00:55.838Z

Link: CVE-2025-30623

cve-icon Vulnrichment

Updated: 2025-03-24T21:21:13.027Z

cve-icon NVD

Status : Deferred

Published: 2025-03-24T14:15:34.797

Modified: 2026-04-23T15:26:59.400

Link: CVE-2025-30623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses