Description
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description."
Published: 2026-02-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM‑Based Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The WP Accessibility plugin processes image alt text using JavaScript that reads the alt attribute with getAttribute() and then injects it directly into innerHTML or insertAdjacentHTML without sanitization, creating a DOM‑based cross‑site scripting flaw. If the Long Description UI is enabled and set to "Link to description", an attacker with Contributor-level privileges can store malicious script code in the alt field of any image. When a user visits a page that displays the compromised image, the script runs in the visitor’s browser, allowing the attacker to execute arbitrary JavaScript on that page.

Affected Systems

WordPress installations running any version of the WP Accessibility plugin 2.3.1 or earlier from the vendor Joedolson are affected. The flaw exists in all builds that include the Long Description UI feature and is activated when the setting is set to "Link to description." Users with Contributor or higher roles can create an exploit, while other roles cannot modify the alt text and are therefore excluded.

Risk and Exploitability

The vulnerability is scored at CVSS 6.4, indicating medium severity, and its exploit probability is very low with an EPSS of less than 1%. The flaw is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with at least Contributor access, the Long Description UI setting enabled and set to "Link to description", and the ability to store a malicious alt attribute value. When a site visitor accesses a page that displays the compromised image, the injected script runs in the visitor’s browser, enabling the attacker to execute arbitrary JavaScript in that context. The impact is limited to the victim’s browser session and does not directly affect the server or other users beyond the page rendering.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Accessibility plugin to the latest available version.
  • If postponed upgrade is necessary, disable the Long Description UI feature or change its mode to one that does not render alt attributes into HTML, preventing the script from reaching front‑end users.
  • Manually review and sanitize existing image alt text for injected scripting; remove or escape any suspicious content before publishing new or existing content.

Generated by OpenCVE AI on April 15, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Joedolson
Joedolson wp Accessibility
Wordpress
Wordpress wordpress
Vendors & Products Joedolson
Joedolson wp Accessibility
Wordpress
Wordpress wordpress

Fri, 27 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description."
Title WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Joedolson Wp Accessibility
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:56.637Z

Reserved: 2026-02-11T18:02:23.893Z

Link: CVE-2026-2362

cve-icon Vulnrichment

Updated: 2026-03-06T18:45:10.303Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T09:16:17.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:00:14Z

Weaknesses