[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f12BOIVq9NjoR4CF-rZhSR0TjC26q0mYN4ExJALx3gMc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-9199","equalize-digital-accessibility-checker-missing-authorization-to-authenticated-author-arbitrary-accessibility-issue-modif","Equalize Digital Accessibility Checker \u003C= 1.42.1 - Missing Authorization to Authenticated (Author+) Arbitrary Accessibility Issue Modification via 'largeBatch' Parameter","The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value — including those belonging to administrator-owned posts.","accessibility-checker",null,"\u003C=1.42.1","1.43.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-17 16:07:31","2026-06-18 04:31:08",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0e5cc0ce-3785-4240-863e-d1396db6e8ef?source=api-prod",1,[22,23,24,25,26,27,28,29],"accessibility-checker.php","build\u002FpageScanner.bundle.js","changelog.txt","includes\u002Fclasses\u002Fclass-rest-api.php","languages\u002Faccessibility-checker-ar.po","languages\u002Faccessibility-checker-cs_CZ.po","languages\u002Faccessibility-checker-da_DK.po","languages\u002Faccessibility-checker-de_DE.po","researched",false,3,"# Exploitation Research Plan: CVE-2026-9199 (Equalize Digital Accessibility Checker)\n\n## 1. Vulnerability Summary\nThe **Equalize Digital Accessibility Checker** plugin (versions \u003C= 1.42.1) is vulnerable to a missing authorization check in its REST API handler for dismissing accessibility issues. While the plugin verifies that a user has permission to dismiss an issue on a post they *own* (Author level), it fails to properly restrict the scope when the `largeBatch` parameter is set to `true`. \n\nAn authenticated attacker with Author-level permissions can provide an `issue_id` belonging to their own post to pass the initial authorization check. By setting `largeBatch=true`, the plugin's backend logic proceeds to dismiss or modify all matching accessibility issues across the entire site (site-wide) that share the same \"object\" (the specific code snippet or element identifier) and rule type, including issues on posts owned by Administrators.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Faccessibility-checker\u002Fv1\u002Fdismiss-issue\u002F(?P\u003Cissue_id>\\d+)`\n*   **Method:** `POST`\n*   **Authentication Required:** Authenticated, minimum **Author** role (must be able to create a post and trigger an accessibility scan to generate a valid `issue_id` they own).\n*   **Payload Parameter:** `largeBatch=true` (passed as a query parameter or POST body parameter).\n*   **Vulnerability Type:** Missing Authorization \u002F Improper Scope Limitation.\n*   **Impact:** Site-wide manipulation of accessibility audit data, allowing unprivileged users to hide critical accessibility errors on sensitive pages (e.g., login pages, checkout pages, or Admin posts).\n\n## 3. Code Flow\n1.  **Registration:** The route is registered in `includes\u002Fclasses\u002Fclass-rest-api.php`.\n2.  **Permission Check:** The `permission_callback` for `\u002Fdismiss-issue\u002F` checks if the user has `edit_post` capability for the post associated with the provided `issue_id`.\n3.  **Callback Execution:** The `dismiss_issue` method is called.\n4.  **The Flaw:** Inside `dismiss_issue` (or the underlying logic it calls), the code checks for `request['largeBatch'] == 'true'`.\n5.  **Site-wide Modification:** If `largeBatch` is true, the plugin performs a database query (likely via `$wpdb`) to update all records in the accessibility issues table where the `object` (element hash\u002Fselector) and `rule_id` match the provided `issue_id`. This query lacks a `post_id` constraint, causing it to affect rows belonging to posts the Author cannot normally edit.\n\n## 4. Nonce Acquisition Strategy\nThe REST API requires a `wp_rest` nonce for authenticated requests. This nonce is typically localized in the WordPress admin dashboard for use by the plugin's React\u002FVue components.\n\n1.  **Identify Trigger:** The plugin's sidebar\u002Fmetabox enqueues scripts on the post editor page.\n2.  **Setup:** Create a test post as the Author: `wp post create --post_type=post --post_status=publish --post_title=\"Author Post\" --post_author=[AUTHOR_ID]`.\n3.  **Navigate:** Use `browser_navigate` to go to the edit page for that post: `\u002Fwp-admin\u002Fpost.php?post=[POST_ID]&action=edit`.\n4.  **Extract Nonce:** Use `browser_eval` to extract the REST nonce from the `wpApiSettings` global object (standard WordPress) or the plugin's specific localized object.\n    *   Standard: `browser_eval(\"window.wpApiSettings?.nonce\")`\n    *   Alternative (if plugin-specific): Check `window.edac_data?.nonce` or similar (inferred from `accessibility-checker.php` and `class-rest-api.php` hooks).\n\n## 5. Exploitation Strategy\n### Step 1: Generate a Target Issue (Admin)\nCreate an Administrator post containing a specific accessibility violation (e.g., a link with no text).\n```bash\nwp post create --post_type=page --post_title=\"Admin Sensitive Page\" --post_status=publish --post_content='\u003Ca href=\"https:\u002F\u002Fexample.com\">\u003C\u002Fa>'\n```\n*Note: The plugin must scan this page to populate the database. This usually happens on save or via a frontend scan.*\n\n### Step 2: Generate a Reference Issue (Author)\nAs the Author, create a post with the **exact same** violation.\n```bash\nwp post create --post_type=post --post_title=\"Author Reference\" --post_status=publish --post_content='\u003Ca href=\"https:\u002F\u002Fexample.com\">\u003C\u002Fa>' --post_author=[AUTHOR_ID]\n```\n\n### Step 3: Identify Author's Issue ID\nRetrieve the `id` of the issue created in Step 2 from the database.\n```bash\nwp db query \"SELECT id FROM wp_accessibility_checker_issues WHERE post_id = [AUTHOR_POST_ID] LIMIT 1;\"\n```\n\n### Step 4: Execute the Bypass\nSend the malicious REST request using the Author's credentials and nonce.\n*   **URL:** `\u002Fwp-json\u002Faccessibility-checker\u002Fv1\u002Fdismiss-issue\u002F[AUTHOR_ISSUE_ID]?largeBatch=true`\n*   **Method:** `POST`\n*   **Headers:**\n    *   `X-WP-Nonce`: `[EXTRACTED_NONCE]`\n    *   `Content-Type`: `application\u002Fjson`\n*   **Body:** (Optional, depending on if the plugin expects dismissal reasons in 1.38.0+)\n    ```json\n    {\n      \"reason\": \"Exploit Testing\",\n      \"status\": \"dismissed\"\n    }\n    ```\n\n## 6. Test Data Setup\n1.  **User Roles:** \n    *   An Administrator user.\n    *   An Author user (`wp user create attacker attacker@example.com --role=author`).\n2.  **Plugin State:** Ensure \"Accessibility Checker\" is active and the database tables are created.\n3.  **Target Content:** An Admin post with a \"Problem\" (e.g., `rule_id`: `link_text`).\n4.  **Attacker Content:** An Author post with the same \"Problem\" (matching `rule_id` and the same HTML element\u002F`object`).\n\n## 7. Expected Results\n*   The initial REST API call for the Author's own `issue_id` returns a `200 OK`.\n*   The response indicates that multiple issues were affected (if the plugin returns a count).\n*   The accessibility issue on the **Admin's** post is now marked as `dismissed` or `ignored` in the database, despite the Author having no permissions for that post.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the state of the Admin's issue via WP-CLI:\n```bash\n# Check if any issues on the Admin post are still 'active' (not dismissed)\nwp db query \"SELECT * FROM wp_accessibility_checker_issues WHERE post_id = [ADMIN_POST_ID] AND is_ignored = 0;\"\n```\nIf the query returns 0 results but the issues were previously present, the site-wide dismissal was successful.\n\n## 9. Alternative Approaches\n*   **Restore instead of Dismiss:** If the Admin has intentionally dismissed an issue, the Author can use the same `largeBatch=true` logic on the `restore-issue` endpoint (if registered separately) to reopen issues site-wide, potentially flooding the Admin's dashboard with \"Problems\".\n*   **Different Rule Types:** Instead of `link_text`, use `img_alt` (missing alt text) which is a very common and easy-to-replicate violation.\n*   **Blind Exploitation:** If the `issue_id` is not known, an Author can iterate through small integers for `issue_id` until they hit one they own, then trigger the site-wide effect.","The Equalize Digital Accessibility Checker plugin (\u003C= 1.42.1) is vulnerable to an authorization bypass where authenticated users with Author-level access can dismiss or restore accessibility issues site-wide. By providing an issue ID from a post they are authorized to edit and setting the 'largeBatch' parameter to true, attackers can bypass permission checks to modify records belonging to posts they do not own, including those of administrators.","\u002F\u002F includes\u002Fclasses\u002Fclass-rest-api.php\n\n\t\t\u002F\u002F Dismiss\u002Frestore issue endpoint.\n\t\tadd_action(\n\t\t\t'rest_api_init',\n\t\t\tfunction () use ( $ns, $version ) {\n\t\t\t\tregister_rest_route(\n\t\t\t\t\t$ns . $version,\n\t\t\t\t\t'\u002Fdismiss-issue\u002F(?P\u003Cissue_id>\\d+)',\n\t\t\t\t\t[\n\t\t\t\t\t\t'methods'             => 'POST',\n\t\t\t\t\t\t'callback'            => [ $this, 'dismiss_issue' ],\n\t\t\t\t\t\t'args'                => [\n\t\t\t\t\t\t\t'issue_id'      => [\n\t\t\t\t\t\t\t\t'required'          => true,\n\t\t\t\t\t\t\t\t'validate_callback' => function ( $param ) {\n\t\t\t\t\t\t\t\t\treturn is_numeric( $param );\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t'sanitize_callback' => 'absint',\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t],\n\t\t\t\t\t\t'permission_callback' => function ( $request ) {\n\t\t\t\t\t\t\t$issue_id = (int) $request['issue_id'];\n\t\t\t\t\t\t\t\u002F\u002F ... Vulnerability: The handler fails to restrict the scope of the database update when largeBatch=true is supplied ...\n\t\t\t\t\t\t},\n\t\t\t\t\t]\n\t\t\t\t);\n\t\t\t}\n\t\t);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faccessibility-checker\u002F1.42.1\u002Faccessibility-checker.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faccessibility-checker\u002F1.43.0\u002Faccessibility-checker.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faccessibility-checker\u002F1.42.1\u002Faccessibility-checker.php\t2026-05-20 19:37:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Faccessibility-checker\u002F1.43.0\u002Faccessibility-checker.php\t2026-05-29 17:19:52.000000000 +0000\n@@ -10,7 +10,7 @@\n  * Plugin Name:       Accessibility Checker\n  * Plugin URI:        https:\u002F\u002Fa11ychecker.com\n  * Description:       Audit and check your website for accessibility before you hit publish. In-post accessibility scanner and guidance.\n- * Version:           1.42.1\n+ * Version:           1.43.0\n  * Requires PHP:      7.4\n  * Author:            Equalize Digital\n  * Author URI:        https:\u002F\u002Fequalizedigital.com\n@@ -36,7 +36,7 @@\n \n \u002F\u002F Current plugin version.\n if ( ! defined( 'EDAC_VERSION' ) ) {\n-\tdefine( 'EDAC_VERSION', '1.42.1' );\n+\tdefine( 'EDAC_VERSION', '1.43.0' );\n }\n \n \u002F\u002F Current database version.","An authenticated attacker with Author-level permissions exploits the '\u002Fwp-json\u002Faccessibility-checker\u002Fv1\u002Fdismiss-issue\u002F{issue_id}' endpoint. First, the attacker creates a post they own and generates an accessibility issue (e.g., a missing alt tag) to obtain a valid 'issue_id'. They then send a POST request to the dismiss-issue endpoint using this 'issue_id' and the parameter 'largeBatch=true'. The plugin's initial permission check validates the attacker's authorization to modify their own post's issue. However, because 'largeBatch' is set, the backend logic executes a bulk update targeting all issues across the entire site that share the same element signature ('object') and rule type, effectively dismissing critical accessibility findings on administrator-owned posts and sensitive pages.","gemini-3-flash-preview","2026-06-25 22:04:32","2026-06-25 22:05:22",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.42.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccessibility-checker\u002Ftags\u002F1.42.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faccessibility-checker.1.42.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccessibility-checker\u002Ftags\u002F1.43.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faccessibility-checker.1.43.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Faccessibility-checker\u002Ftags"]