GHSA-7XM7-CGQR-V2H2

Vulnerability from github – Published: 2026-04-22 21:31 – Updated: 2026-04-22 21:31
VLAI?
Details

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permission_callback set to __return_true, which means no authentication or authorization check is performed. The updateWidgetOptions() function in AdminApi.php accepts user-supplied JSON data and passes it directly to AccessiblyOptions::updateAppConfig(), which saves it to the WordPress options table via update_option() without any sanitization or validation. The stored widgetSrc value is later retrieved by AssetsManager::enqueueFrontendScripts() and passed directly to wp_enqueue_script() as the script URL, causing it to be rendered as a <script> tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the widgetSrc option to point to a malicious external script.

Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-3643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-15T09:16:31Z",
    "severity": "HIGH"
  },
  "details": "The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `\u003cscript\u003e` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.",
  "id": "GHSA-7xm7-cgqr-v2h2",
  "modified": "2026-04-22T21:31:44Z",
  "published": "2026-04-22T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3643"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Api/BaseApiController.php#L22"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/AssetsManager.php#L63"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/Data/AccessiblyOptions.php#L69"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/tags/3.0.3/public/admin/AdminApi.php#L65"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Api/BaseApiController.php#L22"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/AssetsManager.php#L63"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/Data/AccessiblyOptions.php#L69"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/otm-accessibly/trunk/public/admin/AdminApi.php#L65"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f8234ea2-ff80-425f-b83d-29c422b40c6a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.