CVE-2026-9199
Deferred Deferred - Pending Action

Authorization Bypass in Equalize Digital Accessibility Checker WordPress Plugin

Vulnerability report for CVE-2026-9199, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: Wordfence

Description

The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value β€” including those belonging to administrator-owned posts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-07
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
equalize_digital accessibility_checker to 1.42.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Equalize Digital Accessibility Checker plugin for WordPress has an authorization bypass vulnerability in all versions up to 1.42.1. This happens because the plugin does not properly verify if a user is authorized to perform certain actions.

As a result, authenticated users with author-level access or higher can manipulate accessibility audit issue records for posts they are not allowed to edit. They do this by using an issue from their own post as an authorization token to affect matching issues site-wide.

Specifically, an author-level user can send a request with a parameter that causes the plugin to bulk-modify all accessibility issues across the site that share the same object value, including those belonging to administrator-owned posts.

Impact Analysis

This vulnerability allows users with author-level access to dismiss, ignore, or restore accessibility audit issues on posts they should not have permission to modify.

Because the exploit can bulk-modify issues site-wide, it can affect the integrity and accuracy of accessibility audits across the entire WordPress site.

This could lead to unauthorized changes in accessibility compliance records, potentially masking accessibility problems or falsely indicating compliance.

Compliance Impact

The vulnerability allows authenticated users with author-level access to bypass authorization controls and modify accessibility audit issue records across the entire site, including those they should not have permission to edit.

Since the plugin is designed to check compliance with accessibility standards such as WCAG, ADA, EAA, and Section 508, this authorization bypass could undermine the integrity of accessibility compliance data.

However, there is no direct information provided about the impact of this vulnerability on compliance with data protection regulations like GDPR or HIPAA.

Mitigation Strategies

The vulnerability affects all versions of the Equalize Digital Accessibility Checker plugin up to and including 1.42.1. Immediate mitigation steps include updating the plugin to a version later than 1.42.1 where the authorization bypass issue is fixed.

Additionally, restrict author-level user permissions where possible to limit the ability to exploit this vulnerability until the plugin is updated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart