CVE-2026-9015 equalizedigital CVE debrief

Who should care

WordPress site administrators using Equalize Digital Accessibility Checker for compliance auditing; accessibility compliance officers relying on audit integrity for WCAG, ADA, EAA, or Section 508 reporting; security teams managing WordPress plugin inventories; organizations subject to accessibility litigation requiring defensible audit trails

Technical summary

The vulnerability exists in the plugin's AJAX handlers for managing accessibility issue states. The affected endpoints fail to verify user capabilities before processing modifications to ignore state, ignore reason, and ignore comment fields. The largeBatch parameter enables unbounded updates across matching object identifiers. Source code analysis of versions 1.38.0 and 1.41.0 confirms the missing authorization checks at the specified line numbers in class-ajax.php and class-enqueue-admin.php.

Defensive priority

medium

Recommended defensive actions

• Upgrade Equalize Digital Accessibility Checker plugin to version 1.42.1 or later
• Review accessibility audit logs for unauthorized modifications to issue ignore states
• Implement principle of least privilege by restricting subscriber-level accounts where possible
• Monitor for anomalous bulk modifications to accessibility issue metadata
• Verify integrity of historical accessibility compliance records
• Apply WordPress core security best practices including nonce validation and capability checks for custom AJAX endpoints

Evidence notes

Vulnerability confirmed via WordPress plugin repository source code analysis. Affected code paths identified in class-ajax.php at lines 40, 814, and 856 across versions 1.38.0 and 1.41.0, with additional exposure through class-enqueue-admin.php line 89. Changeset 3539961 in the WordPress plugin repository documents the remediation. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N yields score 4.3 (Medium). CWE-862 (Missing Authorization) classified as primary weakness.

Official resources