CVE-2026-3643 HIGH

CVE-2026-3643: Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API

Vendor Onthemapmarketing
Product Accessibly – WordPress Website Accessibility
Weakness CWE-79 · XSS
Published April 15, 2026
Last update April 15, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.

Explanation of Vulnerability in Simple Terms

02Summary

The Accessibly WordPress plugin versions 3.0.3 and earlier contain a cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into the site. The vulnerability affects all visitors and can impact site integrity and confidentiality. No user interaction is required for exploitation.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in visitors' browsers and steals data or modifies site content.

Potential impact on your site

04Site Impact

Visitors' browsers could execute attacker-controlled scripts, potentially compromising user data or site reputation.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 15, 2026 CVE published
April 15, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2024-43926 WordPress Beaver Builder plugin <= 2.8.3.2 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-24539 WordPress DeBounce Email Validator plugin <= 5.6.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-10886 Tribute Testimonials – WordPress Testimonial Grid/Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-62359 WeGIA Cross-Site Scripting (XSS) Reflected endpoint id_pet CVE-2023-54341 Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) via file Parameter