Cyber Resilience

CVE-2026-3643

High

Published: 15 April 2026

Published
15 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0018 39.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3643 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3643 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Accessibly plugin for WordPress, affecting all versions up to and including 3.0.3. The issue stems from REST API endpoints registered at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with a `permission_callback` of `__return_true`, which performs no authentication or authorization checks. The `updateWidgetOptions()` function in `AdminApi.php` accepts unsanitized user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which stores it in the WordPress options table via `update_option()`. The `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and enqueued via `wp_enqueue_script()` as a script URL, rendering it as a `<script>` tag on every front-end page.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted JSON payloads to the vulnerable endpoints, they can overwrite the `widgetSrc` option with a URL pointing to a malicious external script. This injects arbitrary JavaScript that executes in the browsers of all site visitors on front-end pages, enabling attacks such as session hijacking, data theft, or phishing. The CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflects its high severity due to the changed scope and potential for broad impact across the site.

References point to specific locations in the plugin's source code on the WordPress plugin trac repository, including `BaseApiController.php` line 22 (permission_callback), `AssetsManager.php` line 63 (script enqueuing), `AccessiblyOptions.php` line 69 (option updates), and `AdminApi.php` line 65 (JSON handling), illustrating the absence of sanitization, validation, or authentication. No patch or mitigation details are provided in the available references.

EU & UK References

Vulnerability details

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with the `permission_callback` set to `__return_true`, which…

more

means no authentication or authorization check is performed. The `updateWidgetOptions()` function in `AdminApi.php` accepts user-supplied JSON data and passes it directly to `AccessiblyOptions::updateAppConfig()`, which saves it to the WordPress options table via `update_option()` without any sanitization or validation. The stored `widgetSrc` value is later retrieved by `AssetsManager::enqueueFrontendScripts()` and passed directly to `wp_enqueue_script()` as the script URL, causing it to be rendered as a `<script>` tag on every front-end page. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript that executes for all site visitors by changing the `widgetSrc` option to point to a malicious external script.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The stored XSS vuln in public-facing WordPress plugin enables direct exploitation of the application via unauthenticated REST endpoints (T1190) and injection/execution of arbitrary JavaScript in visitor browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires authorization for sensitive REST API endpoints like update-widget-options, preventing unauthenticated attackers from modifying the widgetSrc option.

prevent

Mandates validation and sanitization of user-supplied JSON data before storage in the WordPress options table, blocking malicious widgetSrc values.

prevent

Filters the retrieved widgetSrc value prior to enqueuing via wp_enqueue_script, preventing injection of arbitrary external scripts on front-end pages.

References