CVE-2026-3643
Published: 15 April 2026
Summary
CVE-2026-3643 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3643 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Accessibly plugin for WordPress, affecting all versions up to and including 3.0.3. The issue stems from REST API endpoints registered at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with a `permission_callback` of `__return_true`, which performs no authentication or authorization checks. The `updateWidgetOptions()` function in `AdminApi.php` accepts unsanitized user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which stores it in the WordPress options table via `update_option()`. The `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and enqueued via `wp_enqueue_script()` as a script URL, rendering it as a `<script>` tag on every front-end page.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted JSON payloads to the vulnerable endpoints, they can overwrite the `widgetSrc` option with a URL pointing to a malicious external script. This injects arbitrary JavaScript that executes in the browsers of all site visitors on front-end pages, enabling attacks such as session hijacking, data theft, or phishing. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects its high severity due to the changed scope and potential for broad impact across the site.
References point to specific locations in the plugin's source code on the WordPress plugin trac repository, including `BaseApiController.php` line 22 (permission_callback), `AssetsManager.php` line 63 (script enqueuing), `AccessiblyOptions.php` line 69 (option updates), and `AdminApi.php` line 65 (JSON handling), illustrating the absence of sanitization, validation, or authentication. No patch or mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22860
Vulnerability details
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which…
more
means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vuln in public-facing WordPress plugin enables direct exploitation of the application via unauthenticated REST endpoints (T1190) and injection/execution of arbitrary JavaScript in visitor browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires authorization for sensitive REST API endpoints like update-widget-options, preventing unauthenticated attackers from modifying the widgetSrc option.
Mandates validation and sanitization of user-supplied JSON data before storage in the WordPress options table, blocking malicious widgetSrc values.
Filters the retrieved widgetSrc value prior to enqueuing via wp_enqueue_script, preventing injection of arbitrary external scripts on front-end pages.