CVE-2026-9015
Deferred Deferred - Pending Action
Authorization Bypass in Equalize Digital Accessibility Checker Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site β€” including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied β€” corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-9015
EUVD
EUVD-2026-32745
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
equalize_digital accessibility_checker to 1.42.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Equalize Digital Accessibility Checker plugin for WordPress, used for compliance with WCAG, ADA, EAA, and Section 508, has an authorization bypass vulnerability in all versions up to 1.42.0.

This vulnerability occurs because the plugin does not properly verify whether a user is authorized to perform certain actions.

As a result, authenticated users with subscriber-level access or higher can modify the ignore state, ignore reason, and ignore comment of accessibility issues across the entire site.

They can also perform mass modifications of all rows sharing an 'object' identifier when a specific parameter (largeBatch=true) is supplied.

This corrupts the integrity of accessibility audits by allowing users to hide or dismiss findings outside their authorized scope.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized modification of accessibility audit data on your WordPress site.

Authenticated users with low-level access can hide or dismiss accessibility issues that should be addressed, potentially masking compliance problems.

This undermines the reliability and integrity of your site's accessibility audits, making it difficult to ensure that accessibility standards are properly met.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with subscriber-level access and above to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site. This can corrupt the integrity of accessibility audits by hiding or dismissing findings outside their authorization scope.

Because the plugin is designed to help with WCAG, ADA, EAA, and Section 508 compliance, this authorization bypass undermines the reliability of accessibility compliance reporting. While the CVE description does not explicitly mention GDPR, HIPAA, or other regulations, the corruption of audit integrity could indirectly affect compliance efforts related to accessibility and record-keeping required by such standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart