{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3643", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-06T16:08:09.871Z", "datePublished": "2026-04-15T08:28:17.565Z", "dateUpdated": "2026-04-15T16:13:04.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T08:28:17.565Z"}, "affected": [{"vendor": "onthemapmarketing", "product": "Accessibly \u2013 WordPress Website Accessibility", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script."}], "title": "Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8234ea2-ff80-425f-b83d-29c422b40c6a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Api/BaseApiController.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Api/BaseApiController.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/admin/AdminApi.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/admin/AdminApi.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Data/AccessiblyOptions.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Data/AccessiblyOptions.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/AssetsManager.php#L63"}, {"url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/AssetsManager.php#L63"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Yoschanin Pulsirivong"}, {"lang": "en", "type": "finder", "value": "Ronnachai Sretawat Na Ayutaya"}, {"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "timeline": [{"time": "2026-04-14T19:47:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:31:59.213067Z", "id": "CVE-2026-3643", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:04.206Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script."}], "id": "CVE-2026-3643", "lastModified": "2026-04-15T09:16:31.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:31.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Api/BaseApiController.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/AssetsManager.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Data/AccessiblyOptions.php#L69"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/admin/AdminApi.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Api/BaseApiController.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/AssetsManager.php#L63"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Data/AccessiblyOptions.php#L69"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/admin/AdminApi.php#L65"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8234ea2-ff80-425f-b83d-29c422b40c6a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Accessibly \u2013 WordPress Website Accessibility", "source": "cna", "vendor": "onthemapmarketing"}, "product": "accessibly_\u2013_wordpress_website_accessibility", "vendor": "onthemapmarketing"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T10:22:16.702289+00:00", "value": {"mitigation_remediation": ["Update the Accessibly plugin to the latest version (>=3.0.4) where the REST endpoints implement proper permission callbacks and input sanitization.", "If an update is not feasible, block unauthenticated access to the /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config endpoints by adding a security plugin rule or custom code that checks user capabilities before accepting POST data.", "As a temporary workaround, manually edit the widgetSrc option in the WordPress database (wp_options table) to remove any external script URLs and ensure it points only to trusted resources, while also inspecting other stored options for similar injection vectors."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Stored Cross\u2011Site Scripting that allows arbitrary JavaScript execution for all site visitors"}, "threat_synthesis": {"affected_systems": "All sites running the Accessibly plugin from version 1.0.0 up to and including 3.0.3 are affected. The plugin is identified as onthemapmarketing:Accessibly \u2013 WordPress Website Accessibility. The vulnerability originates in files BaseApiController.php, AssetsManager.php, AccessiblyOptions.php, and AdminApi.php within the plugin code base.", "description_and_impact": "The Accessibly WordPress plugin registers REST API endpoints without authentication checks, enabling any visitor to submit JSON data that is stored as the widget source URL. The stored value is later passed directly to wp_enqueue_script, causing the browser to load and execute the script as a <script> tag on all front\u2011end pages. This results in unauthenticated stored XSS, giving an attacker the ability to run arbitrary JavaScript in the context of the site for all users, compromising confidentiality and integrity of site data and potentially leading to credential theft or defacement.", "risk_and_exploitability": "The CVSS v3.1 score of 7.2 indicates a high severity. EPSS is not available, but the lack of authentication combined with stored XSS makes the attack path straightforward for an unauthenticated user who can reach the REST endpoints. The vulnerability is not listed in CISA\u2019s KEV catalog, yet the ease of exploitation suggests that it could be commonly abused. Attackers can simply send a crafted HTTP POST to /otm-ac/v1/update-widget-options or /otm-ac/v1/update-app-config with a malicious widgetSrc URL, which will be executed for every visitor once stored."}}}}, "created": "2026-04-15T13:49:14.860712+00:00", "updated": "2026-04-15T14:53:13.869536+00:00", "vendors": ["onthemapmarketing", "onthemapmarketing$PRODUCT$accessibly_\u2013_wordpress_website_accessibility", "wordpress", "wordpress$PRODUCT$wordpress"]}