Description
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Equalize Digital Accessibility Checker plugin for WordPress contains an authorization bypass flaw that allows any authenticated user with at least subscriber-level privileges to invoke the edac_insert_ignore_data AJAX action without proper permission checks. This flaw permits the attacker to alter the ignore state, reason, and comment fields of any accessibility issue, and when largeBatch=true is used, to mass‑modify all issues sharing the same object identifier. The result is a deliberate corruption of audit data, potentially masking non‑compliant elements and undermining the integrity of WCAG, ADA, EAA and Section 508 assessments. The weakness is a classic authorization bypass (CWE‑862).

Affected Systems

The vulnerability affects all installations of the Equalize Digital Accessibility Checker plugin on WordPress up to and including version 1.42.0. Any WordPress site that has this plugin active and whose users possess subscriber‑level or higher roles is within scope. No other vendors or products are impacted.

Risk and Exploitability

With a CVSS score of 4.3, the flaw presents a moderate threat level. Exploitation requires the attacker to be logged into the site as a subscriber or higher, which is a common scenario for users with minimal privileges; no external network attack vector is needed. EPSS data is currently unavailable, so the exploitation probability cannot be quantified beyond the requirement of authentication. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploit activity at the time of analysis.

Generated by OpenCVE AI on May 28, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Equalize Digital Accessibility Checker plugin (any release newer than 1.42.0) which removes the missing permission check for the edac_insert_ignore_data AJAX action.
  • If an immediate upgrade is not possible, restrict the capabilities of 'subscriber' users by removing the ability to edit or ignore accessibility audit findings, or use a role‑management plugin to enforce tighter permissions on the AJAX endpoints.
  • Implement a custom patch or hook that enforces an explicit capability check (e.g., current_user_can('edit_edd_accessibility_results')) before allowing ignore state modifications, ensuring that only authorized administrators can alter audit data.

Generated by OpenCVE AI on May 28, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.
Title Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:32:25.512Z

Reserved: 2026-05-19T14:28:17.653Z

Link: CVE-2026-9015

cve-icon Vulnrichment

Updated: 2026-05-28T10:32:19.426Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:49.240

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-9015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T10:00:11Z

Weaknesses