CVE-2025-32215 MEDIUM

CVE-2025-32215: WordPress Accessibility Suite plugin <= 4.18 - Arbitrary File Upload vulnerability

Vendor Ability, Inc
Product Accessibility Suite
Weakness CWE-434 · Unrestricted file upload
Published April 10, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Unrestricted Upload of File with Dangerous Type vulnerability in Ability, Inc Accessibility Suite online-accessibility allows Stored XSS.This issue affects Accessibility Suite: from n/a through <= 4.18.

Explanation of Vulnerability in Simple Terms

02Summary

Ability, Inc Accessibility Suite versions 4.18 and earlier allow authenticated users to upload files without proper validation. An attacker with low-level access can upload malicious files that may affect the confidentiality, integrity, or availability of the site. User interaction is required to trigger the upload. The scope of impact extends beyond the vulnerable component.

What an attacker can do

03Attacker Capabilities

Upload files without validation to compromise site confidentiality, integrity, or availability.

Potential impact on your site

04Site Impact

Malicious files uploaded by attackers with low privileges could compromise your site's data or functionality.

Conditions required to exploit

05Prerequisites

Attacker must have low-level authenticated access and trick a user into visiting a malicious page.

Key dates

06Disclosure timeline

April 10, 2025 CVE published
April 28, 2026 Record updated