The Equalize Digital Accessibility Checker plugin suffers from a missing authorization check that allows any authenticated user with Author or higher privileges to modify accessibility audit issue records they are not permitted to edit. By supplying a valid issue from their own post as an authorization token and setting the largeBatch parameter to true, an attacker can bulk‑modify all site‑wide accessibility issues that share the same 'object' value, including those belonging to administrator‑owned posts. This flaw is a classic Missing Authorization problem (CWE‑862). The primary impact is the ability to tamper with audit data and potentially undermine compliance reporting without escalated privileges.

Vendors and products affected are the Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress. All installations using any version up to and including 1.42.1 are vulnerable. Users of earlier or later versions are not affected.

The CVSS score of 4.3 indicates a moderate severity, with the EPSS score below 1 % suggesting a low yet non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, reducing the likelihood of known widespread attacks. The attack vector is inferred to be an authenticated REST API call: an Author or higher user can trigger the flaw by sending a dismiss‑issue request that includes the largeBatch=true parameter and referencing one of their own post’s issues. Successful exploitation requires only legitimate author credentials and knowledge of an issue token, making it relatively easy to execute once the user has author or higher permissions.