Does WP Accessibility Helper (WAH) have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Accessibility Helper (WAH) have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Accessibility Helper (WAH) compatible with WordPress 6.8.5?

According to WordPress.org data, WP Accessibility Helper (WAH) 0.6.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is WP Accessibility Helper (WAH) compatible with PHP 7.4+?

WP Accessibility Helper (WAH) requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Accessibility Helper (WAH) updated?

WP Accessibility Helper (WAH) was last updated on May 29, 2025. Frequent updates are generally a positive security signal.

What is WP Accessibility Helper (WAH)'s security score?

WP Accessibility Helper (WAH) has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Accessibility Helper (WAH) Security & Risk Analysis

wordpress.org/plugins/wp-accessibility-helper

Short Description WP Accessibility Helper helps solve accessibility problems

10K active installs v0.6.6 PHP 7.4+ WP 4.3+ Updated May 29, 2025

a11yaccessibilitycontrastwaiwcag

A · Safe

CVEs total5

Unpatched0

Last CVEAug 28, 2024

Plugin page Download

Safety Verdict

Is WP Accessibility Helper (WAH) Safe to Use in 2026?

Generally Safe

Score 97/100

WP Accessibility Helper (WAH) has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Aug 28, 2024Updated 10mo ago

Risk Assessment

The "wp-accessibility-helper" plugin v0.6.6 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and having a high percentage (94%) of properly escaped output. The absence of dangerous functions, file operations, and external HTTP requests are also strong indicators of secure coding. However, there are notable concerns.

The static analysis reveals a significant attack surface with 14 AJAX handlers, of which 6 lack authentication checks. This represents a direct pathway for potential unauthorized actions if these handlers are exploitable. While the taint analysis did not uncover critical or high severity issues, the presence of 4 flows with unsanitized paths warrants attention, suggesting potential for subtle vulnerabilities.

The vulnerability history, with 5 previously disclosed medium severity CVEs, highlights a pattern of past security weaknesses. The common vulnerability types, including Missing Authorization and Cross-site Scripting, align with the concerns raised by the static analysis regarding unprotected AJAX handlers and unsanitized paths. Although there are currently no unpatched CVEs, the historical pattern suggests a recurring need for diligent security auditing and patching for this plugin. The plugin's recent vulnerability on August 28, 2024, further emphasizes the ongoing need for vigilance.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Previous medium severity CVEs

Vulnerabilities

WP Accessibility Helper (WAH) Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2023

2023

3 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2024-5987medium · 5.4Missing Authorization

WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

Aug 28, 2024 Patched in 0.6.2.9 (1d)

CVE-2024-37926medium · 5.3Missing Authorization

WP Accessibility Helper (WAH) <= 0.6.2.9 - Missing Authorization

Jul 9, 2024 Patched in 0.6.3 (10d)

CVE-2024-31423medium · 4.3Missing Authorization

WP Accessibility Helper (WAH) <= 0.6.2.5 - Missing Authorization

Apr 10, 2024 Patched in 0.6.2.6 (7d)

CVE-2023-41869medium · 4.3Missing Authorization

WP Accessibility Helper (WAH) <= 0.6.2.4 - Missing Authorization via AJAX action

Sep 5, 2023 Patched in 0.6.2.5 (140d)

CVE-2022-0150medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Accessibility Helper <= 0.6.0.6 - Reflected Cross-Site Scripting via wahi

Jun 20, 2022 Patched in 0.6.0.7 (582d)

Code Analysis

Analyzed Mar 16, 2026

WP Accessibility Helper (WAH) Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

442 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

94% escaped468 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

<wah-admin> (admin\pages\wah-admin.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

WP Accessibility Helper (WAH) Attack Surface

Entry Points14

Unprotected6

AJAX Handlers 14

authwp_ajax_wah_update_attachment_titleadmin\ajax-functions.php:8

authwp_ajax_update_attachment_altadmin\ajax-functions.php:9

authwp_ajax_wah_update_widgets_orderadmin\ajax-functions.php:10

authwp_ajax_add_new_contrast_itemadmin\ajax-functions.php:11

authwp_ajax_remove_contrast_itemadmin\ajax-functions.php:12

authwp_ajax_save_contrast_variationsadmin\ajax-functions.php:13

authwp_ajax_save_empty_contrast_variationsadmin\ajax-functions.php:14

authwp_ajax_wah_update_attachment_titletrunk\admin\ajax-functions.php:8

authwp_ajax_update_attachment_alttrunk\admin\ajax-functions.php:9

authwp_ajax_wah_update_widgets_ordertrunk\admin\ajax-functions.php:10

authwp_ajax_add_new_contrast_itemtrunk\admin\ajax-functions.php:11

authwp_ajax_remove_contrast_itemtrunk\admin\ajax-functions.php:12

authwp_ajax_save_contrast_variationstrunk\admin\ajax-functions.php:13

authwp_ajax_save_empty_contrast_variationstrunk\admin\ajax-functions.php:14

WordPress Hooks 20

actionwpinc\wah-front-functions.php:8

actionafter_wah_wrapperinc\wah-front-functions.php:10

filterbody_classinc\wah-front-functions.php:154

actionwptrunk\inc\wah-front-functions.php:8

actionafter_wah_wrappertrunk\inc\wah-front-functions.php:10

filterbody_classtrunk\inc\wah-front-functions.php:154

actioninittrunk\wp-accessibility-helper.php:22

actionwp_enqueue_scriptstrunk\wp-accessibility-helper.php:23

actionadmin_menutrunk\wp-accessibility-helper.php:24

actionadmin_headtrunk\wp-accessibility-helper.php:25

actionadmin_enqueue_scriptstrunk\wp-accessibility-helper.php:26

actionwp_footertrunk\wp-accessibility-helper.php:27

actionafter_setup_themetrunk\wp-accessibility-helper.php:28

actioninitwp-accessibility-helper.php:22

actionwp_enqueue_scriptswp-accessibility-helper.php:23

actionadmin_menuwp-accessibility-helper.php:24

actionadmin_headwp-accessibility-helper.php:25

actionadmin_enqueue_scriptswp-accessibility-helper.php:26

actionwp_footerwp-accessibility-helper.php:27

actionafter_setup_themewp-accessibility-helper.php:28

Maintenance & Trust

WP Accessibility Helper (WAH) Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 29, 2025

PHP min version7.4

Downloads478K

Community Trust

Rating94/100

Number of ratings57

Active installs10K

Alternatives

WP Accessibility Helper (WAH) Alternatives

AccessibleWP – Accessibility Toolbar

accessible-poetry

Add a professional accessibility toolbar to your WordPress site and make it easier for users with disabilities.

20K No CVEs

AxesWeb Accessibility Solution

axesweb-accessibility-solution

100

WCAG 2.1 and 2.2-ready accessibility toolbar for WordPress with a configurable, lightweight widget.

10 No CVEs

2fox4 Accessibility Suite

2fox4-accessibility-suite

100

A professional WCAG 2.1/2.2 accessibility toolkit with a floating widget for font resizing, contrast modes, reading guide, and more.

0 No CVEs

Ally – Web Accessibility & Usability

pojo-accessibility

Ally: Make your site more inclusive by scanning for accessibility violations, fixing them easily, and adding a usability widget and accessibility stat …

500K 4 CVEs

WP Accessibility

wp-accessibility

WP Accessibility fixes common accessibility issues in your WordPress site.

60K 2 CVEs

Developer Profile

WP Accessibility Helper (WAH) Developer Profile

Alex Volkov

2 plugins · 10K total installs

trust score

Avg Security Score

84/100

Avg Patch Time

148 days

View full developer profile

Detection Fingerprints

How We Detect WP Accessibility Helper (WAH)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-accessibility-helper/assets/css/wp-accessibility-helper.min.css/wp-content/plugins/wp-accessibility-helper/assets/js/wp-accessibility-helper.min.js/wp-content/plugins/wp-accessibility-helper/admin/css/wp-accessibility-helper.css/wp-content/plugins/wp-accessibility-helper/admin/css/wp-accessibility-helper_rtl.css/wp-content/plugins/wp-accessibility-helper/admin/js/jscolor.min.js/wp-content/plugins/wp-accessibility-helper/admin/js/admin_scripts.js

Script Paths

/wp-content/plugins/wp-accessibility-helper/assets/js/wp-accessibility-helper.min.js

Version Parameters

wp-accessibility-helper/assets/css/wp-accessibility-helper.min.css?ver=wp-accessibility-helper/assets/js/wp-accessibility-helper.min.js?ver=wp-accessibility-helper/admin/css/wp-accessibility-helper.css?ver=wp-accessibility-helper/admin/css/wp-accessibility-helper_rtl.css?ver=wp-accessibility-helper/admin/js/jscolor.min.js?ver=wp-accessibility-helper/admin/js/admin_scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-accessibility-helper

Data Attributes

data-wah-page

JS Globals

wpAccessHelper

FAQ