The Accessibility by AllAccessible plugin for WordPress suffers from a missing authorization check vulnerability identified as CVE-2024-11643 (CWE-862). Specifically, the 'AllAccessible_save_settings' function does not verify whether the authenticated user has the necessary capabilities to modify plugin settings. This flaw affects all versions up to and including 1.3.4. As a result, any authenticated user with at least Subscriber-level privileges can invoke this function to update arbitrary WordPress options. Attackers can exploit this to change critical settings such as the default user role for new registrations to 'administrator' and enable user registration if it was previously disabled. This leads to privilege escalation, allowing attackers to create new admin accounts and gain full control over the site. The vulnerability is remotely exploitable over the network without user interaction and requires only low privileges to initiate. The CVSS 3.1 base score is 8.8 (High), reflecting the ease of exploitation combined with the severe impact on confidentiality, integrity, and availability of the affected WordPress sites. No patches or official fixes were listed at the time of publication, and no known exploits have been observed in the wild, but the vulnerability poses a significant risk to any site using this plugin.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to escalate their access to full administrative control over WordPress sites using the Accessibility by AllAccessible plugin. This can lead to complete site compromise, including data theft, defacement, malware injection, and persistent backdoors. Unauthorized modification of site options undermines the integrity and availability of the website, potentially disrupting business operations and damaging reputation. Since WordPress powers a large portion of the web, sites using this plugin are at risk of targeted attacks, especially those with public user registration enabled or where attackers can create accounts. The ability to change the default role to administrator further facilitates mass exploitation by enabling attackers to register new admin users automatically. Organizations relying on this plugin face risks of data breaches, loss of customer trust, and regulatory penalties if sensitive data is exposed or manipulated.

Immediate mitigation involves restricting access to the plugin's settings functions by applying custom capability checks or disabling the plugin until a vendor patch is available. Site administrators should audit user roles and permissions to ensure no unauthorized accounts have elevated privileges. Disabling user registration temporarily can reduce attack surface. Monitoring logs for suspicious option changes or new admin accounts is critical. Applying a Web Application Firewall (WAF) rule to block unauthorized POST requests targeting the vulnerable function can provide interim protection. Administrators should subscribe to vendor advisories and update the plugin promptly once a security patch is released. Additionally, implementing multi-factor authentication (MFA) for admin accounts and regularly backing up site data will help mitigate the impact of potential compromises.