This vulnerability allows an attacker to upload a file of a dangerous type through the Accessibility Suite plugin’s upload interface. The uploaded file is stored on the server without proper validation and later executed in the context of the site, resulting in a stored cross‑site scripting (XSS) flaw. As a consequence, an attacker can inject malicious scripts that run in the browsers of visitors, potentially hijacking user sessions, defacing content, or stealing credentials. The weakness is categorized as CWE‑434, an unchecked file type upload leading to a stored XSS.

The vulnerability affects Ability, Inc’s Accessibility Suite plugin version 4.18 and earlier. Any WordPress installation that has this plugin installed and has not been updated to a newer version is potentially compromised.

With a CVSS score of 6.5 the flaw is considered moderately severe, while an EPSS score of less than 1% indicates a very low probability of exploitation in the wild at this time. The vulnerability is currently not listed in the CISA KEV catalog, further suggesting it has not been observed in widespread attacks. The attack vector is inferred to be the plugin’s file‑upload endpoint, likely requiring authentication to perform the upload, but the vulnerability allows the uploaded file to be accessed by any visitor, expanding the impact. The overall risk remains moderate, warranting timely remediation to prevent a stored XSS event.