🔐 CVE Alert

CVE-2026-9015

MEDIUM 4.3

Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

CWE CWE-862
Vendor equalizedigital
Product equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance
Published May 28, 2026
Last Updated May 28, 2026
Stay Ahead of the Next One

Get instant alerts for equalizedigital equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance

Be the first to know when new medium vulnerabilities affecting equalizedigital equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

equalizedigital / Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance
0 ≤ 1.42.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/613fc64a-1206-4a11-b945-216068b9339a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L856 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L814 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L40 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-enqueue-admin.php#L89 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L856 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L814 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L40 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-enqueue-admin.php#L89 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3539961%40accessibility-checker&new=3539961%40accessibility-checker&sfp_email=&sfph_mail=

Credits

Herlangga Maulani