🔐 CVE Alert

CVE-2026-9199

MEDIUM 4.3

Equalize Digital Accessibility Checker <= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via 'largeBatch' Parameter

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value — including those belonging to administrator-owned posts.

CWE CWE-862
Vendor equalizedigital
Product equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance
Published Jun 18, 2026
Stay Ahead of the Next One

Get instant alerts for equalizedigital equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance

Be the first to know when new medium vulnerabilities affecting equalizedigital equalize digital accessibility checker – wcag, ada, eaa and section 508 compliance are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

equalizedigital / Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance
0 ≤ 1.42.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/0e5cc0ce-3785-4240-863e-d1396db6e8ef?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L1247 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L1232 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.42.0/includes/classes/class-rest-api.php#L349 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L1247 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L1232 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.39.0/includes/classes/class-rest-api.php#L349 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3553926%40accessibility-checker&new=3553926%40accessibility-checker&sfp_email=&sfph_mail=

Credits

Joy Gilbert