MEDIUM 4.3

CVE-2026-9015: WordPress Equalize Digital Accessibility Checker Authorization Bypass (MEDIUM)

The Equalize Digital Accessibility Checker plugin for WordPress contains a flaw that allows users with basic subscriber access to modify accessibility audit findings they shouldn't be able to touch. An authenticated attacker can change whether issues are marked as ignored, alter the reason for ignoring them, and add comments to any accessibility finding on the site. In some cases, they can perform bulk modifications across multiple related findings at once. This means someone with minimal privileges could systematically hide or dismiss accessibility compliance problems, undermining the integrity of WCAG and ADA audit records without proper authorization.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.

10 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9015 is an authorization bypass vulnerability in the Equalize Digital Accessibility Checker plugin affecting versions up to 1.42.0. The plugin fails to enforce proper capability checks when processing requests to modify the ignore state, ignore reason, and ignore comment fields of accessibility issues. The vulnerability is triggered through authenticated requests and is exacerbated when the largeBatch=true parameter is supplied, allowing mass modification of all rows matching a given object identifier. The root cause is classified as CWE-862 (Missing Authorization), indicating the plugin performs an action without verifying the user has permission to do so. The CVSS 3.1 score of 4.3 reflects the network-accessible nature, low attack complexity, and the integrity impact of allowing unauthorized modification of audit data.

Business impact

This vulnerability directly threatens the reliability of accessibility compliance records. Organizations relying on the plugin to maintain WCAG, ADA, EAA, and Section 508 audit trails face the risk of findings being hidden or dismissed by unauthorized users. The impact extends beyond individual findings—bulk operations enable rapid corruption of audit integrity. For regulated entities or those subject to accessibility lawsuits, compromised audit logs could undermine defense strategies or create legal exposure if non-compliance remains hidden. Internal stakeholders may lose confidence in the accuracy of compliance status, and remediation tracking becomes unreliable. Reputationally, if unauthorized modification of accessibility records is discovered, it may suggest negligent audit practices.

Affected systems

All WordPress installations running the Equalize Digital Accessibility Checker plugin in versions 1.42.0 and below are affected. The vulnerability requires the attacker to have at least subscriber-level access to WordPress, the lowest authenticated user role. Any WordPress site using this plugin for accessibility compliance monitoring is potentially exposed if user access controls permit subscribers or higher-privilege users to interact with the plugin's functionality. Organizations should inventory plugin installations across their WordPress estate and cross-reference with user role assignments.

Exploitability

Exploitation requires authentication, placing this in the 'authenticated attacker' category. Subscriber-level access is the minimum threshold, making it exploitable by a broad class of users—including guest contributors, external auditors, or compromised low-privilege accounts. The attack requires only HTTP requests; no user interaction or complex setup is needed. The availability of the largeBatch parameter suggests the vulnerability is easily triggered through standard plugin interfaces or API calls. Given the low bar to entry and straightforward exploitation path, organizations with permissive user provisioning are at elevated risk. The vulnerability is not publicly reported as exploited (not in CISA KEV), but the simplicity of the attack increases the likelihood of opportunistic abuse.

Remediation

Update the Equalize Digital Accessibility Checker plugin to a patched version released after the modified date (2026-06-17). Verify the specific patch version against the official Equalize Digital plugin advisory or WordPress.org plugin repository. Immediately review and enforce the principle of least privilege: audit subscriber-level and editor-level user accounts, and remove unnecessary access for users who do not require it. Implement monitoring and logging of accessibility issue modifications to detect unauthorized changes. Consider temporarily restricting plugin functionality to administrator-only access until a patch is applied. Test patches in a staging environment before production deployment.

Patch guidance

Check the Equalize Digital Accessibility Checker plugin repository on WordPress.org and the vendor's official advisory for the earliest patched version following 1.42.0. Apply patches in a controlled rollout: test in a staging environment that mirrors production, verify that accessibility audit data remains intact, and confirm that authorization controls now prevent subscriber-level modification. After patching, audit the audit logs to identify any unauthorized modifications that may have occurred while the vulnerability was active. Document the patch version applied and the date of remediation for compliance records.

Detection guidance

Monitor WordPress audit logs and plugin activity logs for modifications to accessibility issue records, particularly changes to ignore state, ignore reason, or ignore comment fields. Flag modifications originating from subscriber or editor-level user accounts, especially if they modify findings outside their expected scope. In WAF or IDS logs, look for requests to the plugin with the largeBatch=true parameter combined with modifications to accessibility data. Review database change logs for bulk updates to accessibility tables initiated by non-administrator accounts. If the plugin supports request logging, examine logs for PATCH or POST requests targeting accessibility issue endpoints without corresponding authorization checks. Correlate suspicious modifications with user session timing and source IPs to identify potential compromise vectors.

Why prioritize this

Although the CVSS score is moderate (4.3), this vulnerability should be prioritized for organizations with strong accessibility compliance obligations or those in regulated industries. The integrity impact on audit records creates secondary risks: hidden non-compliance issues, failed audits, and potential legal liability. The low barrier to exploitation (subscriber access) and bulk modification capability amplify the risk for sites with distributed user bases. Organizations should patch promptly to restore audit integrity and close the authorization bypass; however, this is not a critical remote code execution or authentication bypass, so it should not pre-empt critical infrastructure patching efforts.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects: network accessibility (AV:N), low attack complexity (AC:L), requirement for low-privilege authenticated access (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L—ability to modify but not delete or exfiltrate), and no availability impact (A:N). The score does not amplify for regulatory or organizational context; however, the integrity impact on compliance data and the ease of bulk modification elevate practical risk beyond the numerical score.

Frequently asked questions

Can an attacker delete accessibility findings or export them?

No. The vulnerability is limited to modifying the ignore state, reason, and comments of existing findings. Deletion and data exfiltration are not in scope. The attacker corrupts audit records by hiding findings, but the underlying data remains on the server.

Does this affect accessibility compliance if the plugin is disabled after modification?

Yes. If accessibility issues are marked as ignored due to this vulnerability, disabling the plugin does not restore the audit record. The modifications persist in the database. Organizations should audit records for suspicious ignore flags and restore them if necessary before assuming compliance status is accurate.

How does the largeBatch parameter increase risk?

The largeBatch=true parameter allows an attacker to modify all accessibility findings sharing the same object identifier in a single request, rather than one at a time. This enables rapid, widespread corruption of audit records and makes detection harder if logging is insufficient.

Is this vulnerability being exploited in the wild?

There is no indication of active exploitation (the vulnerability is not in CISA's KEV catalog). However, the simplicity of exploitation means opportunistic attacks are likely if the vulnerability becomes widely known. Patching should not be delayed based on KEV status alone.

This analysis is based on the vulnerability description and CVSS assessment as of the modified date (2026-06-17). Patch versions, detailed vendor advisories, and exploitation status may evolve after publication. Organizations should verify patch availability directly with Equalize Digital and the WordPress.org plugin repository. This document does not constitute legal advice regarding compliance obligations. SEC.co makes no warranty regarding the completeness or accuracy of this analysis; consult official vendor advisories and security testing to confirm impact in your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).