Stored DOM-Based Cross-Site Scripting in WP Accessibility Plugin by WordPress

CVE-2026-2362

What is CVE-2026-2362?

The WP Accessibility plugin for WordPress has a vulnerability that exposes it to stored DOM-based cross-site scripting (XSS) via the 'alt' attribute of images processed by the 'Long Description UI' feature. All versions up to and including 2.3.1 are affected due to the plugin's unsafe extraction of the alt attribute with getAttribute(), followed by a direct insertion into innerHTML and insertAdjacentHTML without proper sanitization. This flaw allows authenticated attackers with Contributor-level access or higher to inject malicious web scripts that execute whenever a user accesses a manipulated page, contingent upon the 'Long Description UI' setting being activated and linked to the description.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References