Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Network REST API exploitation requires author-level auth (PR:L); impact is integrity-only on audit records, with no confidentiality or availability consequence.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Equalize Digital Accessibility Checker - WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value - including those belonging to administrator-owned posts.
AnalysisAI
Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the largeBatch=true parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with at minimum author-level access (Contributor role is below this threshold and is not sufficient). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 4.3 (Medium) accurately reflects the constrained blast radius of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated WordPress author logs into a site running the vulnerable plugin, navigates to one of their own posts that has an accessibility audit issue recorded, and captures that issue's ID from the plugin interface or REST API response. The attacker then crafts a REST API dismiss-issue request referencing their own issue ID as the authorization token and includes the `largeBatch=true` parameter. … |
| Remediation | Update the Equalize Digital Accessibility Checker plugin to a version beyond 1.42.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37837
GHSA-47pj-xq28-xxxm