Description
Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw represents a missing authorization control in the WebToffee Accessibility Toolkit by WebYes plugin, specifically its accessibility-plus component. Attackers can use the plugin’s exposed management features to circumvent normal WordPress role restrictions and gain access to data or actions that should be reserved for higher‑privilege users. The weakness is a classic example of CWE‑862, where the system fails to enforce appropriate access controls.

Affected Systems

The vulnerability affects the WebToffee Accessibility Toolkit by WebYes plugin, also known as accessibility-plus. All releases from the initial version through and including 2.0.4 are impacted. WordPress sites that have this plugin installed and have not upgraded beyond 2.0-4 are potentially susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests that real‑world exploitation is currently uncommon. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would most likely involve sending crafted requests to the plugin’s management interface, potentially as a logged‑in user with any role; a remote attacker could exploit the flawed access checks to perform unauthorized actions.

Generated by OpenCVE AI on April 29, 2026 at 12:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WebToffee Accessibility Toolkit by WebYes plugin to a version that corrects the missing authorization check (e.g., 2.0.5 or later).
  • If an upgrade is not immediately possible, disable or remove the accessibility-plus plugin from the WordPress installation until a fix is applied.
  • Configure WordPress role capabilities so that only administrators are granted permissions to use the plugin’s advanced features, and audit the plugin’s settings to ensure no lower‑privilege roles have unintended access.

Generated by OpenCVE AI on April 29, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WebToffee Accessibility Toolkit by WebYes accessibility-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility Toolkit by WebYes: from n/a through <= 2.0.4.
Title WordPress Accessibility Toolkit by WebYes plugin <= 2.0.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:08:24.679Z

Reserved: 2025-11-21T11:21:20.345Z

Link: CVE-2025-66112

cve-icon Vulnrichment

Updated: 2025-11-21T17:38:53.995Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:52.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses