CVE-2026-3643 Overview
The Accessibly plugin for WordPress contains a critical Stored Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 3.0.3. The vulnerability exists in the plugin's REST API endpoints which lack proper authentication and input validation, allowing unauthenticated attackers to inject malicious JavaScript that executes for all site visitors.
The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permission_callback set to __return_true, effectively bypassing all authentication and authorization checks. This design flaw enables any unauthenticated remote attacker to modify plugin options and inject arbitrary scripts.
Critical Impact
Unauthenticated attackers can inject persistent malicious JavaScript that executes in the browsers of all website visitors, enabling session hijacking, credential theft, defacement, and malware distribution.
Affected Products
- Accessibly WordPress Plugin version 3.0.3 and earlier
- WordPress sites with the Accessibly (otm-accessibly) plugin installed
- All front-end pages of affected WordPress installations
Discovery Timeline
- April 15, 2026 - CVE-2026-3643 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3643
Vulnerability Analysis
This Stored XSS vulnerability stems from a complete lack of authentication on sensitive REST API endpoints combined with missing input sanitization. The attack chain involves multiple components within the plugin architecture.
The updateWidgetOptions() function in AdminApi.php accepts user-supplied JSON data through the unprotected REST API endpoints and passes it directly to AccessiblyOptions::updateAppConfig(). This function then saves the attacker-controlled data to the WordPress options table via update_option() without performing any sanitization, validation, or encoding.
The stored widgetSrc value is subsequently retrieved by AssetsManager::enqueueFrontendScripts() and passed directly to wp_enqueue_script() as the script URL parameter. This causes WordPress to render the attacker-controlled URL as a <script> tag on every front-end page, resulting in persistent arbitrary JavaScript execution for all site visitors.
Root Cause
The root cause is a combination of two critical security failures: First, the REST API endpoints use __return_true as the permission_callback, which is a WordPress helper function that simply returns true regardless of the request context, completely disabling access control. Second, user-supplied data flows from the API endpoint through to the database and ultimately into script tag output without any sanitization, validation, or output encoding at any point in the data path.
Attack Vector
The attack is network-based and requires no authentication or user interaction to exploit. An attacker can send a malicious HTTP POST request to the vulnerable REST API endpoint containing a crafted widgetSrc value pointing to an attacker-controlled JavaScript file. Once stored, this malicious script URL is automatically loaded on every front-end page of the WordPress site.
The attack flow proceeds as follows: The attacker identifies a WordPress site running the vulnerable Accessibly plugin, sends a POST request to /wp-json/otm-ac/v1/update-widget-options with a JSON payload containing a malicious widgetSrc URL, the plugin stores this value without validation, and subsequently all visitors to any front-end page receive the malicious script in their browser.
Detection Methods for CVE-2026-3643
Indicators of Compromise
- Unexpected POST requests to /wp-json/otm-ac/v1/update-widget-options or /wp-json/otm-ac/v1/update-app-config endpoints in access logs
- Modified widgetSrc option values in the WordPress options table pointing to external or suspicious domains
- Unknown or unauthorized external script tags appearing in front-end page source code
- Sudden appearance of JavaScript files loaded from domains not associated with the legitimate plugin or site
Detection Strategies
- Monitor web server access logs for requests to the vulnerable REST API endpoints, particularly from unauthenticated sources
- Implement Web Application Firewall (WAF) rules to detect and block suspicious requests to /otm-ac/v1/* endpoints
- Perform regular audits of the WordPress options table for unexpected changes to Accessibly plugin configuration values
- Deploy Content Security Policy (CSP) headers to detect and block unauthorized script sources
Monitoring Recommendations
- Configure real-time alerting for any modifications to Accessibly plugin options in the database
- Implement file integrity monitoring on plugin directories to detect unauthorized changes
- Monitor browser console errors and CSP violation reports for indicators of script injection attempts
- Review web application firewall logs for blocked requests matching XSS patterns targeting WordPress REST API endpoints
How to Mitigate CVE-2026-3643
Immediate Actions Required
- Update the Accessibly plugin to a patched version as soon as one becomes available from the vendor
- Consider temporarily deactivating and removing the Accessibly plugin until a security patch is released
- Audit the WordPress options table for any unauthorized modifications to Accessibly plugin settings
- Review front-end page source code for unexpected external script references and remove any malicious entries
Patch Information
At the time of publication, administrators should monitor the Wordfence Vulnerability Report and the WordPress plugin repository for security updates. The vulnerable source code can be reviewed in the AdminApi.php and AssetsManager.php files.
Workarounds
- Block access to the vulnerable REST API endpoints using web server configuration or WAF rules until a patch is available
- Implement strict Content Security Policy headers to restrict which external scripts can be loaded on the site
- Use a WordPress security plugin to add authentication requirements to the Accessibly REST API endpoints
- Monitor and restrict outbound connections from your web server to prevent loading of externally hosted malicious scripts
# Apache .htaccess rule to block vulnerable endpoints
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-json/otm-ac/v1/(update-widget-options|update-app-config) - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
