WP-Safety

Ally – Web Accessibility & Usability Security & Risk Analysis

wordpress.org/plugins/pojo-accessibility

Ally: Make your site more inclusive by scanning for accessibility violations, fixing them easily, and adding a usability widget and accessibility stat …

500K active installs v4.1.0 PHP 7.4+ WP 6.6+ Updated Feb 23, 2026
a11yaccessibilityaccessibility-statementwcagweb-accessibility
93
A · Safe
CVEs total4
Unpatched0
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is Ally – Web Accessibility & Usability Safe to Use in 2026?

Generally Safe

Score 93/100

Ally – Web Accessibility & Usability has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Mar 10, 2026Updated 1mo ago
Risk Assessment

The pojo-accessibility v4.1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling, exclusively using prepared statements, and a strong adherence to output escaping, with 85% of outputs properly escaped. The presence of numerous capability checks (16) is also a good indicator of thoughtful authorization implementation. However, the plugin is not without its concerns. A significant area of weakness is the attack surface, with one of its three AJAX handlers lacking authentication checks, presenting a potential entry point for unauthorized actions.

The vulnerability history of this plugin is a more significant concern. With four known CVEs, including one high-severity and three medium-severity vulnerabilities, it suggests a pattern of past security weaknesses. The common vulnerability types listed (SQL Injection, Missing Authorization, CSRF, XSS) reinforce the idea that these are recurring issues. While there are currently no unpatched vulnerabilities, the history indicates a need for ongoing vigilance and robust security development processes.

In conclusion, while the plugin incorporates some strong security measures, the presence of an unprotected AJAX handler and a history of multiple vulnerabilities, particularly in common areas like authorization and input sanitization, warrants careful consideration. The lack of critical issues in the current static analysis is a positive sign, but the historical context suggests that users should remain cautious and ensure the plugin is updated promptly with any future security patches.

Key Concerns

  • AJAX handler without auth checks
  • History of 1 High severity CVE
  • History of 3 Medium severity CVEs
  • 15% of outputs not properly escaped
Vulnerabilities
4

Ally – Web Accessibility & Usability Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-2413high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path

Mar 10, 2026 Patched in 4.1.0 (1d)
CVE-2026-25386medium · 5.3Missing Authorization

Ally <= 4.0.2 - Missing Authorization

Feb 19, 2026 Patched in 4.0.3 (6d)
CVE-2025-10700medium · 4.3Cross-Site Request Forgery (CSRF)

Ally - Web Accessibility & Usability <= 3.8.0 - Cross-Site Request Forgery to Plugin Settings Update

Oct 15, 2025 Patched in 3.8.1 (1d)
CVE-2025-32640medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

One Click Accessibility <= 3.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 9, 2025 Patched in 3.2.0 (13d)
Code Analysis
Analyzed Mar 16, 2026

Ally – Web Accessibility & Usability Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
10 prepared
Unescaped Output
31
181 escaped
Nonce Checks
6
Capability Checks
16
File Operations
5
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared10 total queries

Output Escaping

85% escaped212 total outputs
Attack Surface
1 unprotected

Ally – Web Accessibility & Usability Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 3

authwp_ajax_ea11y_pointer_dismissedmodules\core\components\pointers.php:47
authwp_ajax_ea11y_deactivation_feedbackmodules\deactivation\module.php:258
authwp_ajax_a11y_install_elementor_set_admin_notice_viewedmodules\legacy\components\admin.php:171
WordPress Hooks 105
actionrest_api_initclasses\rest\route.php:57
actionadmin_footerclasses\utils\notice-base.php:204
actionwpmodules\analytics\components\analytics-daily.php:25
filterelementor_one/ea11y_connect_authorize_urlmodules\connect\module.php:67
actionadmin_noticesmodules\core\components\notices.php:57
actioninitmodules\core\components\notices.php:59
filterplugin_action_linksmodules\core\components\revert-to-legacy.php:50
filterhello_elementor_enable_skip_linkmodules\core\components\skip-link.php:74
actionwp_enqueue_scriptsmodules\core\components\skip-link.php:76
actionwp_body_openmodules\core\components\skip-link.php:77
filterwp_handle_upload_prefiltermodules\core\components\svg.php:20
filterupload_mimesmodules\core\components\svg.php:21
actionadmin_enqueue_scriptsmodules\core\module.php:76
filterplugin_action_linksmodules\core\module.php:77
actionwp_dashboard_setupmodules\dashboard\widgets\ally-dashboard-widget.php:114
actionadmin_enqueue_scriptsmodules\deactivation\module.php:256
actionadmin_footermodules\deactivation\module.php:257
actionadmin_footermodules\legacy\components\admin.php:35
actionadmin_noticesmodules\legacy\components\admin.php:170
filteradmin_footer_textmodules\legacy\components\admin.php:172
filtercustomize_registermodules\legacy\components\customizer.php:292
filterwp_headmodules\legacy\components\customizer.php:293
filterpojo_a11y_frontend_is_toolbar_activemodules\legacy\components\elementor.php:22
actionwp_enqueue_scriptsmodules\legacy\components\frontend.php:279
actionwp_footermodules\legacy\components\frontend.php:280
actionwp_footermodules\legacy\components\frontend.php:281
actionadmin_menumodules\legacy\components\settings.php:719
actionadmin_initmodules\legacy\components\settings.php:720
actionadmin_footermodules\legacy\components\settings.php:721
actionadmin_footermodules\legacy\components\upgrade.php:184
actionadmin_footermodules\legacy\components\upgrade.php:365
actionadmin_footermodules\legacy\components\upgrade.php:661
actioncurrent_screenmodules\legacy\components\upgrade.php:663
actioncurrent_screenmodules\legacy\components\upgrade.php:665
filterpojo_a11y_customizer_section_descriptionmodules\legacy\components\upgrade.php:667
actionea11y_register_noticesmodules\legacy\components\upgrade.php:669
actionadmin_initmodules\legacy\module.php:79
actionelementor/initmodules\legacy\module.php:80
actioncurrent_screenmodules\legacy\notices\dismissible-deprecated-nag.php:39
actioncurrent_screenmodules\legacy\notices\sticky-deprecated-nag.php:40
actionrocket_after_clean_domainmodules\remediation\components\cache-cleaner.php:84
actionrocket_after_clean_termsmodules\remediation\components\cache-cleaner.php:85
actionafter_rocket_clean_postmodules\remediation\components\cache-cleaner.php:86
actionafter_rocket_clean_homemodules\remediation\components\cache-cleaner.php:87
actionafter_rocket_clean_filemodules\remediation\components\cache-cleaner.php:88
actionw3tc_flush_allmodules\remediation\components\cache-cleaner.php:92
actionw3tc_flush_postmodules\remediation\components\cache-cleaner.php:93
actionlitespeed_purged_allmodules\remediation\components\cache-cleaner.php:97
actionlitespeed_purged_postmodules\remediation\components\cache-cleaner.php:98
filterlitespeed_purge_post_eventsmodules\remediation\components\cache-cleaner.php:100
actionflying_press_purged_allmodules\remediation\components\cache-cleaner.php:107
actionflying_press_purged_postmodules\remediation\components\cache-cleaner.php:108
actionswift_performance_after_clear_all_cachemodules\remediation\components\cache-cleaner.php:112
actionswift_performance_after_clear_post_cachemodules\remediation\components\cache-cleaner.php:113
actionwpo_cache_clearedmodules\remediation\components\cache-cleaner.php:117
actionwpo_purge_post_cachemodules\remediation\components\cache-cleaner.php:118
actionbreeze_clear_all_cachemodules\remediation\components\cache-cleaner.php:122
actionbreeze_clear_post_cachemodules\remediation\components\cache-cleaner.php:123
actionnitropack_purge_allmodules\remediation\components\cache-cleaner.php:127
actionnitropack_purge_urlmodules\remediation\components\cache-cleaner.php:128
actionwp_cache_clearedmodules\remediation\components\cache-cleaner.php:132
actionwp_cache_post_editmodules\remediation\components\cache-cleaner.php:133
actionswcfpc_purge_allmodules\remediation\components\cache-cleaner.php:137
actionswcfpc_purge_urlsmodules\remediation\components\cache-cleaner.php:138
actioncloudflare_purged_everythingmodules\remediation\components\cache-cleaner.php:142
actioncloudflare_purged_urlmodules\remediation\components\cache-cleaner.php:143
actionafcf_after_purge_allmodules\remediation\components\cache-cleaner.php:147
actionafcf_after_purge_postmodules\remediation\components\cache-cleaner.php:148
actionkinsta_purge_complete_caches_happenedmodules\remediation\components\cache-cleaner.php:152
actioncreated_termmodules\remediation\components\cache-cleaner.php:192
actionedited_termmodules\remediation\components\cache-cleaner.php:193
actionsave_postmodules\remediation\components\cache-cleaner.php:194
actiontemplate_redirectmodules\remediation\components\remediation-runner.php:291
actionadmin_enqueue_scriptsmodules\reviews\module.php:244
actionadmin_initmodules\reviews\module.php:245
actionrest_api_initmodules\reviews\module.php:246
filterplugin_row_metamodules\reviews\module.php:247
actioninitmodules\scanner\components\list-column.php:137
actionadmin_enqueue_scriptsmodules\scanner\components\list-column.php:138
actionadmin_bar_menumodules\scanner\components\top-bar-link.php:19
actionwp_enqueue_scriptsmodules\scanner\module.php:157
actionadmin_enqueue_scriptsmodules\scanner\module.php:158
actionin_admin_headermodules\settings\components\settings-pointer.php:103
filteradmin_footer_textmodules\settings\module.php:684
actionadmin_menumodules\settings\module.php:685
actionadmin_enqueue_scriptsmodules\settings\module.php:686
actionrest_api_initmodules\settings\module.php:687
actioncurrent_screenmodules\settings\module.php:693
actionea11y_register_noticesmodules\settings\module.php:696
actionadmin_noticesmodules\settings\module.php:697
actionelementor_one/switched_domainmodules\settings\module.php:703
actioncurrent_screenmodules\settings\notices\quota-100.php:96
actioncurrent_screenmodules\settings\notices\quota-80.php:88
filterrocket_exclude_jsmodules\widget\components\cache-compatibility.php:94
filterrocket_minify_excluded_external_jsmodules\widget\components\cache-compatibility.php:95
filterlitespeed_optimize_js_excludesmodules\widget\components\cache-compatibility.php:98
filterally_connect_home_urlmodules\widget\components\cache-compatibility.php:100
actioninitmodules\widget\components\gutenberg-link.php:35
filterrender_block_ally/custom-linkmodules\widget\components\gutenberg-link.php:36
actionwp_footermodules\widget\module.php:294
actionwp_enqueue_scriptsmodules\widget\module.php:295
actionadmin_enqueue_scriptsmodules\widget\module.php:296
filterscript_loader_tagmodules\widget\module.php:298
actionelementor/dynamic_tags/registermodules\widget\module.php:301
actionplugins_loadedpojo-accessibility.php:86
Maintenance & Trust

Ally – Web Accessibility & Usability Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.4
Downloads4.3M

Community Trust

Rating58/100
Number of ratings151
Active installs500K
Alternatives

Ally – Web Accessibility & Usability Alternatives

Accessibility Enabler

Accessibility Enabler

accessibility-enabler

A
100

This plugin increases compliance with WCAG 2.0, ADA , Section 508 without changing your website’s existing code.

300 No CVEs
Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance

Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance

codeconfig-accessibility

B
76

Accessiy by CodeConfig – One-click setup for WCAG, ADA & EAA compliance with smart, customizable accessibility tools

20 1 unpatched
Call Now Accessibility Button

Call Now Accessibility Button

accessibility-help-button

B
84

Add an - INVISIBLE Call Now Button - that allows only screen readers to know it's there. This allows a disabled user having issues accessing a pa &hellip;

10 2 CVEs
WP Accessibility

WP Accessibility

wp-accessibility

A
98

WP Accessibility fixes common accessibility issues in your WordPress site.

60K 2 CVEs
Accessibility Widget by OneTap – Easy One-Click Accessibility Toolbar

Accessibility Widget by OneTap – Easy One-Click Accessibility Toolbar

accessibility-onetap

A
100

OneTap is a multilingual WordPress plugin designed for seamless website accessibility.

40K No CVEs
Developer Profile

Ally – Web Accessibility & Usability Developer Profile

Elementor

15 plugins · 13.2M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
704 days
View full developer profile
Detection Fingerprints

How We Detect Ally – Web Accessibility & Usability

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pojo-accessibility/assets/build/skip-link.css/wp-content/plugins/pojo-accessibility/assets/build/skip-link.min.css/wp-content/plugins/pojo-accessibility/assets/build/frontend.js/wp-content/plugins/pojo-accessibility/assets/build/frontend.min.js/wp-content/plugins/pojo-accessibility/assets/build/style-skip-link.css/wp-content/plugins/pojo-accessibility/assets/build/style-skip-link.min.css
Script Paths
/wp-content/plugins/pojo-accessibility/assets/build/skip-link.js/wp-content/plugins/pojo-accessibility/assets/build/frontend.js
Version Parameters
pojo-accessibility/assets/build/skip-link.css?ver=pojo-accessibility/assets/build/frontend.js?ver=pojo-accessibility/assets/build/style-skip-link.css?ver=

HTML / DOM Fingerprints

CSS Classes
ea11y-skip-to-content-linkea11y-skip-to-content-backdrop
Data Attributes
data-tabindexdata-esc-close
JS Globals
onSkipLinkClickEA11y
FAQ

Frequently Asked Questions about Ally – Web Accessibility & Usability