Skip to main content

Accessibility Checker CVE-2026-9015

| EUVD-2026-32745 MEDIUM
Missing Authorization (CWE-862)
2026-05-28 Wordfence GHSA-42g4-cgrh-279c
WordPress Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 09:20 vuln.today
CVE Published
May 28, 2026 - 07:43 nvd
MEDIUM 4.3

DescriptionNVD

The Equalize Digital Accessibility Checker - WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site - including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied - corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

AnalysisAI

Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-6960 CRITICAL
9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

Share

CVE-2026-9015 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy