WP-Safety

WP Accessibility Security & Risk Analysis

wordpress.org/plugins/wp-accessibility

WP Accessibility fixes common accessibility issues in your WordPress site.

60K active installs v2.3.2 PHP 7.4+ WP 5.9+ Updated Feb 18, 2026
a11yaccessibilityalt-textsection508wcag
98
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 26, 2026
Plugin page Download
Safety Verdict

Is WP Accessibility Safe to Use in 2026?

Generally Safe

Score 98/100

WP Accessibility has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Feb 26, 2026Updated 1mo ago
Risk Assessment

The wp-accessibility plugin v2.3.2 exhibits a generally good security posture with strong adherence to best practices in critical areas. The absence of critical or high severity taint flows, fully prepared SQL queries, and a lack of dangerous functions or file operations are significant strengths. Furthermore, the presence of nonce and capability checks on all identified entry points, including AJAX handlers and shortcodes, significantly mitigates common attack vectors. The plugin also avoids external HTTP requests and bundled libraries, further reducing its attack surface. However, a notable concern is the output escaping, where 61% of outputs are properly escaped, leaving a substantial portion potentially vulnerable to Cross-Site Scripting (XSS) attacks. While the static analysis shows no *current* unsanitized paths, the history of two medium severity XSS vulnerabilities, with the last one in 2026, suggests a recurring weakness in input sanitization or output encoding that requires continuous vigilance. The plugin's history, despite having no currently unpatched vulnerabilities, indicates a past susceptibility to XSS, which coupled with the imperfect output escaping, warrants a cautious approach.

Key Concerns

  • Imperfect output escaping
  • Medium severity vulnerability history (XSS)
Vulnerabilities
2

WP Accessibility Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-2362medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Accessibility <= 2.3.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via 'alt' Attribute

Feb 26, 2026 Patched in 2.3.2 (1d)
WF-766b5c62-0701-47d5-9839-445c2654d3e0-wp-accessibilitymedium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Accessibility < 1.7.0 - Authenticated Stored Cross-Site Scripting

Dec 26, 2019 Patched in 1.7.0 (1489d)
Code Analysis
Analyzed Mar 16, 2026

WP Accessibility Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
57
89 escaped
Nonce Checks
6
Capability Checks
6
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

61% escaped146 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

10 flows1 with unsanitized paths
<longdesc-template> (templates\longdesc-template.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Accessibility Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 2

authwp_ajax_wpa_stats_actionwp-accessibility-stats.php:239
noprivwp_ajax_wpa_stats_actionwp-accessibility-stats.php:240

Shortcodes 1

[wpa_toolbar] wp-accessibility-toolbar.php:117
WordPress Hooks 45
filtermanage_media_columnswp-accessibility-alt.php:16
actionmanage_media_custom_columnwp-accessibility-alt.php:17
filterattachment_fields_to_editwp-accessibility-alt.php:163
filterattachment_fields_to_savewp-accessibility-alt.php:187
filterimage_send_to_editorwp-accessibility-alt.php:206
actioninitwp-accessibility-alt.php:254
actionenqueue_block_assetswp-accessibility-alt.php:263
filterwp_get_attachment_image_attributeswp-accessibility-longdesc.php:16
actiontemplate_redirectwp-accessibility-longdesc.php:50
filterimage_send_to_editorwp-accessibility-longdesc.php:130
actioninitwp-accessibility-longdesc.php:191
actionadmin_enqueue_scriptswp-accessibility-settings.php:16
actionadmin_enqueue_scriptswp-accessibility-settings.php:558
actioninitwp-accessibility-stats.php:48
actioninitwp-accessibility-stats.php:66
actionwp_dashboard_setupwp-accessibility-stats.php:250
filterthe_titlewp-accessibility-stats.php:641
actionadmin_initwp-accessibility-stats.php:645
filtermanage_wpa-stats_posts_columnswp-accessibility-stats.php:650
actionmanage_wpa-stats_posts_custom_columnwp-accessibility-stats.php:651
actionadd_meta_boxeswp-accessibility-stats.php:726
actionwidgets_initwp-accessibility-toolbar.php:17
actionwp_enqueue_scriptswp-accessibility-toolbar.php:25
actionwp_enqueue_scriptswp-accessibility-toolbar.php:44
actionadmin_noticeswp-accessibility.php:59
actionadmin_menuwp-accessibility.php:80
filterplugin_action_linkswp-accessibility.php:148
actionwp_enqueue_scriptswp-accessibility.php:164
actionadmin_headwp-accessibility.php:191
actionwp_enqueue_scriptswp-accessibility.php:343
actionadmin_bar_menuwp-accessibility.php:556
filterposts_clauseswp-accessibility.php:576
filtermce_csswp-accessibility.php:596
filterpre_get_postswp-accessibility.php:613
actiontemplate_includewp-accessibility.php:628
filterbody_classwp-accessibility.php:652
filterget_the_excerptwp-accessibility.php:658
filterexcerpt_morewp-accessibility.php:659
filterthe_content_more_linkwp-accessibility.php:660
actionenqueue_block_editor_assetswp-accessibility.php:860
filterblock_type_metadatawp-accessibility.php:878
filterregister_block_type_argswp-accessibility.php:902
filterthe_contentwp-accessibility.php:923
actionadmin_menuwp-accessibility.php:985
actionsave_postwp-accessibility.php:1040
Maintenance & Trust

WP Accessibility Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 18, 2026
PHP min version7.4
Downloads1.8M

Community Trust

Rating96/100
Number of ratings68
Active installs60K
Alternatives

WP Accessibility Alternatives

Content Author Accessibility Preview

Content Author Accessibility Preview

content-author-accessibility-preview

A
85

Flag up potential accessibility issues when your content authors preview the post or page that they have just added or amended

20 No CVEs
WCAG Admin Accessibility Tools

WCAG Admin Accessibility Tools

wcag-admin-accessibility-tools

A
100

Accessibility diagnostics and tools for alt text, contrast, vague links, and more.

20 No CVEs
WebTechee AccessScan

WebTechee AccessScan

accessibility-site-scanner

A
100

Run automated accessibility scans to detect common accessibility issues on your WordPress site.

0 No CVEs
Ally – Web Accessibility & Usability

Ally – Web Accessibility & Usability

pojo-accessibility

A
93

Ally: Make your site more inclusive by scanning for accessibility violations, fixing them easily, and adding a usability widget and accessibility stat &hellip;

500K 4 CVEs
AccessibleWP – Accessibility Toolbar

AccessibleWP – Accessibility Toolbar

accessible-poetry

A
92

Add a professional accessibility toolbar to your WordPress site and make it easier for users with disabilities.

20K No CVEs
Developer Profile

WP Accessibility Developer Profile

Joe Dolson

6 plugins · 96K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
855 days
View full developer profile
Detection Fingerprints

How We Detect WP Accessibility

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-accessibility/css/wpa-style.css/wp-content/plugins/wp-accessibility/css/diagnostic.css/wp-content/plugins/wp-accessibility/css/diagnostic-head.css
Version Parameters
wp-accessibility/css/wpa-style.css?ver=wp-accessibility/css/diagnostic.css?ver=wp-accessibility/css/diagnostic-head.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpa-toolbarwpa-overlay
HTML Comments
<!-- WP Accessibility Skip Links --><!-- WP Accessibility Toolbar --><!-- WP Accessibility Overlay Settings --><!-- WP Accessibility Longdesc Button -->+6 more
Data Attributes
data-wpa-iddata-wpa-label
JS Globals
wpa_toolbar_settings
FAQ

Frequently Asked Questions about WP Accessibility