CVE-2026-9199
Received Received - Intake
Authorization Bypass in Equalize Digital Accessibility Checker WordPress Plugin

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value β€” including those belonging to administrator-owned posts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-9199
EUVD
EUVD-2026-37837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
equalize_digital accessibility_checker to 1.42.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Equalize Digital Accessibility Checker plugin for WordPress has an authorization bypass vulnerability in all versions up to 1.42.1. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.

As a result, authenticated users with author-level access or higher can manipulate accessibility audit issue records for posts they are not allowed to edit. They do this by using an issue from their own post as an authorization token to affect matching issues site-wide.

Specifically, an author-level user can send a request with a parameter that causes the plugin to bulk-modify all accessibility issues across the site that share the same object value, including those belonging to administrator-owned posts.

Impact Analysis

This vulnerability allows users with author-level access to dismiss, ignore, or restore accessibility audit issues on posts they should not have permission to modify.

Because the exploit can bulk-modify issues site-wide, it can affect the integrity and accuracy of accessibility audits across the entire WordPress site.

This could lead to unauthorized changes in accessibility compliance records, potentially masking accessibility problems or falsely indicating compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart