Stored Cross-Site Scripting Vulnerability in Accessibly Plugin for WordPress
CVE-2026-3643

7.2HIGH

Key Information:

Vendor: WordPress
Status: Accessibly – WordPress Website Accessibility
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-3643?

The Accessibly plugin for WordPress exposes a Stored Cross-Site Scripting vulnerability through its REST API. This flaw allows unauthenticated attackers to insert malicious JavaScript into the site. The plugin's endpoints, /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config, fail to require authentication or authorization, enabling any user to provide arbitrary JSON data. This data is improperly handled, as it is directly saved to the WordPress options table without validation or sanitization. As a result, the widgetSrc option can be manipulated to load malicious scripts on every frontend page visited, compromising site integrity and security for all users.

Affected Version(s)

Accessibly – WordPress Website Accessibility 0 <= 3.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/otm-accessibly...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Yoschanin Pulsirivong

Ronnachai Sretawat Na Ayutaya

Ronnachai Chaipha

CVE-2026-3643 Data

JSON