CVE-2025-64246

Accessibility by AudioEye <= 1.0.49 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.1.0
Patched in
6d
Time to patch

Description

The Accessibility by AudioEye plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.49
PublishedDecember 14, 2025
Last updatedDecember 19, 2025

What Changed in the Fix

Changes introduced in v1.1.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan, specific payloads, or a step-by-step guide for exploiting CVE-2025-64246. I can, however, explain the underlying mechanics of "Missing Authorization" vulnerabilities in WordPress plugins and how developers secure these c…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan, specific payloads, or a step-by-step guide for exploiting CVE-2025-64246. I can, however, explain the underlying mechanics of "Missing Authorization" vulnerabilities in WordPress plugins and how developers secure these components.

Understanding Missing Authorization in WordPress

Missing Authorization vulnerabilities (often classified as Improper Privilege Management) occur when a system performs an action or provides access to data without verifying that the user requesting the action has the necessary permissions.

In the context of WordPress plugins, this frequently happens within AJAX handlers or REST API endpoints.

The Role of admin-ajax.php

WordPress uses the admin-ajax.php endpoint to handle asynchronous requests. Developers register handlers using two primary hooks:

  1. wp_ajax_{action}: Runs for authenticated users.
  2. wp_ajax_nopriv_{action}: Runs for unauthenticated (guest) users.

A common misconception is that the wp_ajax_ hook inherently provides security because it requires the user to be logged in. However, by default, any authenticated user—including those with the lowest privilege level, such as Subscribers—can trigger any wp_ajax_ action registered by a plugin.

The Vulnerability Mechanism

If a plugin registers an action to update sensitive settings (like an API key or site configuration) using wp_ajax_save_settings, but fails to verify the user's role inside the handler function, a Subscriber can send a crafted request to admin-ajax.php and modify those settings.

// VULNERABLE CODE EXAMPLE
add_action( 'wp_ajax_plugin_save_config', 'vulnerable_save_config' );

function vulnerable_save_config() {
    // SECURITY FAILURE: No capability check (authorization)
    // SECURITY FAILURE: No nonce check (CSRF protection)
    
    $new_id = sanitize_text_field( $_POST['site_id'] );
    update_option( 'plugin_site_id', $new_id );
    
    wp_send_json_success();
}

Defensive Best Practices

To prevent unauthorized access, developers must implement two distinct layers of security in every handler:

1. Authorization (Capability Checks)

The handler must check if the current user possesses the required capability (e.g., manage_options for administrators) using the current_user_can() function.

if ( ! current_user_can( 'manage_options' ) ) {
    wp_die( 'Unauthorized', 403 );
}

2. Authenticity (Nonce Verification)

To prevent Cross-Site Request Forgery (CSRF), developers use WordPress nonces. A nonce ensures the request was intentionally sent by the user from the legitimate plugin interface.

check_ajax_referer( 'plugin_action_nonce', 'security' );

Secure Implementation Example

A secure AJAX handler combines both checks before processing any data:

add_action( 'wp_ajax_plugin_save_config', 'secure_save_config' );

function secure_save_config() {
    // 1. Verify Nonce (CSRF Protection)
    check_ajax_referer( 'plugin_save_nonce', 'nonce' );

    // 2. Verify Capability (Authorization)
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_send_json_error( 'Forbidden', 403 );
    }

    // 3. Sanitize and Process Input
    if ( isset( $_POST['site_id'] ) ) {
        update_option( 'plugin_site_id', sanitize_text_field( $_POST['site_id'] ) );
        wp_send_json_success();
    }
}

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Accessibility by AudioEye plugin for WordPress (versions <= 1.0.49) fails to perform necessary authorization checks on certain functions, likely those handled via AJAX. This allows authenticated attackers with Subscriber-level permissions or higher to execute administrative actions, such as modifying plugin settings.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.0.49/audioeye.php /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.1.0/audioeye.php
--- /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.0.49/audioeye.php	2024-10-30 18:46:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.1.0/audioeye.php	2026-05-11 21:01:18.000000000 +0000
@@ -9,19 +9,21 @@
  * that starts the plugin.
  *
  * @link              www.audioeye.com
- * @since             1.0.49
+ * @since             1.1.0
  * @package           AudioEye
  *
  * @wordpress-plugin
  * Plugin Name:       Accessibility by Audioeye
- * Description:       AudioEye automatically finds and fixes common accessibility issues on your site. This plugin provides an easy way to install AudioEye’s accessibility solution on WordPress.
- * Version:           1.0.49
+ * Description:       AudioEye automatically finds and fixes common accessibility issues on your site. This plugin provides an easy way to install AudioEye's accessibility solution on WordPress.
+ * Version:           1.1.0
  * Author:            AudioEye
  * Author URI:        www.audioeye.com
  * License:           GPL-2.0+
  * License URI:       http://www.gnu.org/licenses/gpl-2.0.txt
  * Text Domain:       audioeye
  * Domain Path:       /languages
+ * Requires at least: 5.1
+ * Tested up to:      6.8
  */
 
 // If this file is called directly, abort.
@@ -29,7 +31,7 @@
 	die;
 }
 
-define( 'AUDIOEYE_VERSION', '1.0.49' );
+define( 'AUDIOEYE_VERSION', '1.1.0' );
 
 function activate_audioeye() {
 	require_once plugin_dir_path( __FILE__ ) . 'includes/class-audioeye-activator.php';
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.0.49/README.txt /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.1.0/README.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.0.49/README.txt	2024-10-30 18:46:30.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/accessibility-by-audioeye/1.1.0/README.txt	2026-05-11 21:01:18.000000000 +0000
@@ -3,8 +3,8 @@
 Donate link: www.audioeye.com
 Tags: accessibility, wcag, ada, compliance, monitoring
 Requires at least: 5.1
-Tested up to: 6.6.2
-Stable tag: 1.0.49
+Tested up to: 6.8
+Stable tag: 1.1.0
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate to the WordPress site as a user with at least Subscriber-level privileges. The attacker then identifies an administrative AJAX action or REST API endpoint registered by the plugin that lacks a capability check (e.g., current_user_can('manage_options')). By sending a crafted POST request to /wp-admin/admin-ajax.php with the specific 'action' parameter and desired configuration data, the attacker can manipulate the plugin's settings because the server processes the request without verifying the user's authorization level.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.