Description
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.
Published: 2026-04-15
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Stored Cross‑Site Scripting that allows arbitrary JavaScript execution for all site visitors
Action: Immediate Patch
AI Analysis

Impact

The Accessibly WordPress plugin registers REST API endpoints without authentication checks, enabling any visitor to submit JSON data that is stored as the widget source URL. The stored value is later passed directly to wp_enqueue_script, causing the browser to load and execute the script as a <script> tag on all front‑end pages. This results in unauthenticated stored XSS, giving an attacker the ability to run arbitrary JavaScript in the context of the site for all users, compromising confidentiality and integrity of site data and potentially leading to credential theft or defacement.

Affected Systems

All sites running the Accessibly plugin from version 1.0.0 up to and including 3.0.3 are affected. The plugin is identified as onthemapmarketing:Accessibly – WordPress Website Accessibility. The vulnerability originates in files BaseApiController.php, AssetsManager.php, AccessiblyOptions.php, and AdminApi.php within the plugin code base.

Risk and Exploitability

The CVSS v3.1 score of 7.2 indicates a high severity. EPSS is not available, but the lack of authentication combined with stored XSS makes the attack path straightforward for an unauthenticated user who can reach the REST endpoints. The vulnerability is not listed in CISA’s KEV catalog, yet the ease of exploitation suggests that it could be commonly abused. Attackers can simply send a crafted HTTP POST to /otm-ac/v1/update-widget-options or /otm-ac/v1/update-app-config with a malicious widgetSrc URL, which will be executed for every visitor once stored.

Generated by OpenCVE AI on April 15, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Accessibly plugin to the latest version (>=3.0.4) where the REST endpoints implement proper permission callbacks and input sanitization.
  • If an update is not feasible, block unauthenticated access to the /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config endpoints by adding a security plugin rule or custom code that checks user capabilities before accepting POST data.
  • As a temporary workaround, manually edit the widgetSrc option in the WordPress database (wp_options table) to remove any external script URLs and ensure it points only to trusted resources, while also inspecting other stored options for similar injection vectors.

Generated by OpenCVE AI on April 15, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Onthemapmarketing
Onthemapmarketing accessibly – Wordpress Website Accessibility
Wordpress
Wordpress wordpress
Vendors & Products Onthemapmarketing
Onthemapmarketing accessibly – Wordpress Website Accessibility
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.
Title Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Onthemapmarketing Accessibly – Wordpress Website Accessibility
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T16:13:04.206Z

Reserved: 2026-03-06T16:08:09.871Z

Link: CVE-2026-3643

cve-icon Vulnrichment

Updated: 2026-04-15T13:32:02.801Z

cve-icon NVD

Status : Received

Published: 2026-04-15T09:16:31.720

Modified: 2026-04-15T09:16:31.720

Link: CVE-2026-3643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:13Z

Weaknesses