Platform
wordpress
Component
otm-accessibly
Fixed in
3.0.4
3.0.4
CVE-2026-3643 describes a stored Cross-Site Scripting (XSS) vulnerability affecting the Accessibly WordPress plugin. This vulnerability allows attackers to inject malicious scripts into the plugin's REST API endpoints, potentially leading to unauthorized code execution and data theft. The vulnerability impacts versions of Accessibly up to and including 3.0.3. A patch is available, requiring users to upgrade to a fixed version.
The vulnerability resides in the plugin's REST API endpoints /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. Due to a flawed permissioncallback set to returntrue, these endpoints lack authentication or authorization checks. An attacker can craft a malicious JSON payload and send it to these endpoints, which is then directly saved to the WordPress options table using update_option(). This allows for the injection of arbitrary JavaScript code that will be executed in the context of any user visiting the affected WordPress site. The potential impact includes session hijacking, defacement of the website, redirection to malicious sites, and theft of sensitive user data.
CVE-2026-3643 was publicly disclosed on 2026-04-14. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation due to the lack of authentication makes it a likely target. The vulnerability is not currently listed on the CISA KEV catalog. The absence of authentication makes this vulnerability relatively easy to exploit, increasing the risk of exploitation.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Accessibly plugin to a version higher than 3.0.3, which contains the fix. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent further exploitation. As a temporary workaround, restrict access to the vulnerable REST API endpoints using a WordPress firewall plugin or by implementing custom code to enforce authentication. Regularly review WordPress plugin updates and security advisories to stay informed about potential vulnerabilities.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3643 is a stored Cross-Site Scripting (XSS) vulnerability in the Accessibly WordPress plugin, allowing attackers to inject malicious scripts via unprotected REST API endpoints.
You are affected if you are using the Accessibly plugin in versions 3.0.3 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Accessibly plugin to a version higher than 3.0.3. As a temporary measure, disable the plugin or restrict access to the vulnerable REST API endpoints.
While no public exploits have been released, the lack of authentication makes it a likely target for exploitation.
Refer to the Accessibly plugin's official website or WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.