Equalize Digital Accessibility Checker WordPress Plugin Authorization Bypass Vulnerability

A vulnerability allowing authorization bypass has been identified in the Equalize Digital Accessibility Checker plugin for WordPress, affecting all versions up to and including 1.42.0. The issue arises because the plugin fails to properly verify user authorization for certain actions. This flaw enables authenticated attackers with subscriber-level access or higher to manipulate the ignore state, reason, and comments related to accessibility issues site-wide. Exploitation could involve mass changes to all rows with a shared 'object' identifier by setting 'largeBatch' to true, thereby undermining the integrity of accessibility audits by concealing or dismissing issues beyond their authorized scope.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of accessibility issue records, allowing users to hide or dismiss findings without proper authorization, thereby corrupting the accessibility audit process.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send an AJAX request to the 'edac_insert_ignore_data' action. This request can include specific post IDs and, if 'largeBatch' is set to true, will affect all accessibility issues associated with those IDs, including mass modifications of issues across the site.

Remediation

Users are advised to update the Equalize Digital Accessibility Checker plugin to version 1.42.1 or later, where this vulnerability has been addressed.