CVE-2026-9015
Deferred Deferred - Pending Action
Authorization Bypass in Equalize Digital Accessibility Checker Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site β€” including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied β€” corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9015
EUVD
EUVD-2026-32745
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
equalize_digital accessibility_checker to 1.42.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Equalize Digital Accessibility Checker plugin for WordPress, used for compliance with WCAG, ADA, EAA, and Section 508, has an authorization bypass vulnerability in all versions up to 1.42.0.

This vulnerability occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with subscriber-level access or higher can modify the ignore state, ignore reason, and ignore comment of accessibility issues across the entire site.

They can also perform mass modifications of all rows sharing an 'object' identifier when a specific parameter (largeBatch=true) is supplied.

This corrupts the integrity of accessibility audits by allowing users to hide or dismiss findings outside their authorized scope.

Compliance Impact

The vulnerability allows authenticated attackers with subscriber-level access and above to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site. This can corrupt the integrity of accessibility audits by hiding or dismissing findings outside their authorization scope.

Because the plugin is designed to help with WCAG, ADA, EAA, and Section 508 compliance, this authorization bypass undermines the reliability of accessibility compliance reporting. While the CVE description does not explicitly mention GDPR, HIPAA, or other regulations, the corruption of audit integrity could indirectly affect compliance efforts related to accessibility and record-keeping required by such standards.

Impact Analysis

This vulnerability can impact you by allowing unauthorized modification of accessibility audit data on your WordPress site.

Authenticated users with low-level access can hide or dismiss accessibility issues that should be addressed, potentially masking compliance problems.

This undermines the reliability and integrity of your site's accessibility audits, making it difficult to ensure that accessibility standards are properly met.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart