Plattform
wordpress
Komponente
otm-accessibly
Behoben in
3.0.4
3.0.4
CVE-2026-3643 describes a stored Cross-Site Scripting (XSS) vulnerability affecting the Accessibly WordPress plugin. This vulnerability allows attackers to inject malicious scripts into the plugin's REST API endpoints, potentially leading to unauthorized code execution and data theft. The vulnerability impacts versions of Accessibly up to and including 3.0.3. A patch is available, requiring users to upgrade to a fixed version.
The vulnerability resides in the Accessibly plugin's REST API endpoints, specifically /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. Crucially, these endpoints lack proper authentication and authorization checks (permissioncallback set to returntrue). This means an unauthenticated attacker can send a crafted JSON payload to these endpoints. The updateWidgetOptions() function then directly passes this user-supplied data to AccessiblyOptions::updateAppConfig(), which saves it to the WordPress options table using update_option(). The injected script will then be executed whenever the options are accessed, effectively allowing the attacker to execute arbitrary JavaScript code in the context of the WordPress administrator's account. This could lead to session hijacking, defacement of the website, or the theft of sensitive data.
This vulnerability was publicly disclosed on 2026-04-14. There are currently no known public exploits or active campaigns targeting this specific vulnerability. However, the ease of exploitation due to the lack of authentication makes it a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog. The vulnerability's simplicity aligns with common XSS exploitation patterns.
Websites using the Accessibly plugin, particularly those running WordPress versions where the plugin is actively used and not regularly updated, are at risk. Shared hosting environments where plugin updates are managed by the hosting provider are also at increased risk if users haven't manually updated the plugin.
• wordpress / composer / npm:
grep -r 'otm-ac/v1/update-widget-options' /var/www/html/wp-content/plugins/accessibly/• wordpress / composer / npm:
grep -r 'otm-ac/v1/update-app-config' /var/www/html/wp-content/plugins/accessibly/• wordpress / composer / npm:
wp plugin list --status=active | grep accessibly• wordpress / composer / npm:
wp plugin update accessibly --alldisclosure
Exploit-Status
EPSS
0.09% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade the Accessibly plugin to a version newer than 3.0.3, which contains the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable REST API endpoints. This can be achieved using a WordPress firewall (WAF) plugin or by implementing custom code to block requests to /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config from unauthorized users. Monitor WordPress access logs for suspicious requests to these endpoints. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload via the REST API and verifying that it is not executed.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Mitigationen basierend auf der Risikobereitschaft Ihrer Organisation ein. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3643 is a stored Cross-Site Scripting (XSS) vulnerability in the Accessibly WordPress plugin, allowing attackers to inject malicious scripts via unprotected REST API endpoints.
You are affected if you are using the Accessibly plugin in versions 3.0.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Accessibly plugin to a version higher than 3.0.3. As a temporary measure, disable the plugin or restrict access to the vulnerable REST API endpoints.
While no public exploits have been released, the lack of authentication makes it a likely target for exploitation.
Refer to the Accessibly plugin's official website or WordPress plugin repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.