Description
Cross-Site Request Forgery (CSRF) vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Cross Site Request Forgery.This issue affects Web Accessibility with Max Access: from n/a through <= 2.0.9.
Published: 2025-05-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CSRF vulnerability allows an attacker to trigger state‑changing operations performed by authenticated users without needing credentials. The flaw is linked to CWE‑352 and can lead to unauthorized changes or data leakage, depending on the functions exposed by the Web Accessibility with Max Access plugin.

Affected Systems

Organisations using the Ability Inc Web Accessibility with Max Access plugin version 2.0.9 or earlier are impacted. The vulnerability applies to all releases listed as "from n/a through <= 2.0.9" in the vendor's product range.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the current time. The plugin is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker delivering a malicious link or form to an authenticated user’s browser, causing the browser to perform an unintended request that the plugin will accept. The vulnerability does not require elevated privileges beyond the user’s session tokens.

Generated by OpenCVE AI on April 30, 2026 at 20:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Web Accessibility with Max Access plugin to version 2.1.0 or later, which contains a patch for the CSRF vulnerability.
  • If an upgrade is not immediately possible, deactivate or remove the plugin from the WordPress installation until a fix is released.
  • Add application‑layer CSRF protection for any state‑changing requests handled by the plugin, or configure a web‑application firewall to block requests lacking a valid CSRF token.

Generated by OpenCVE AI on April 30, 2026 at 20:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13725 Cross-Site Request Forgery (CSRF) vulnerability in Ability, Inc Web Accessibility with Max Access allows Cross Site Request Forgery. This issue affects Web Accessibility with Max Access: from n/a through 2.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ability, Inc Web Accessibility with Max Access allows Cross Site Request Forgery. This issue affects Web Accessibility with Max Access: from n/a through 2.0.9. Cross-Site Request Forgery (CSRF) vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Cross Site Request Forgery.This issue affects Web Accessibility with Max Access: from n/a through <= 2.0.9.
Title WordPress Web Accessibility with Max Access <= 2.0.9 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Web Accessibility with Max Access plugin <= 2.0.9 - Cross Site Request Forgery (CSRF) Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00017}

 epss

{'score': 0.0002}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Ability, Inc Web Accessibility with Max Access allows Cross Site Request Forgery. This issue affects Web Accessibility with Max Access: from n/a through 2.0.9.
Title WordPress Web Accessibility with Max Access <= 2.0.9 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:14:17.722Z

Reserved: 2025-05-07T10:45:37.286Z

Link: CVE-2025-47681

cve-icon Vulnrichment

Updated: 2025-05-07T17:18:36.216Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:20.097

Modified: 2026-04-23T15:30:44.263

Link: CVE-2025-47681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:30:26Z

Weaknesses