CVE-2024-5987: CWE-862 Missing Authorization in vol4ikman WP Accessibility Helper (WAH)
The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.
AI Analysis
Technical Summary
CVE-2024-5987 is a missing authorization vulnerability (CWE-862) in the WP Accessibility Helper (WAH) plugin for WordPress. The issue arises from missing capability checks on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions, allowing authenticated users with Subscriber-level privileges or higher to modify or delete contrast settings without proper authorization. This affects all versions up to and including 0.6.2.8. A patch was released in version 0.6.2.8 to address the issue, but it reportedly caused broken functionality and the vendor has not responded to follow-up inquiries.
Potential Impact
The vulnerability allows authenticated users with low-level privileges (Subscriber and above) to perform unauthorized modifications or deletions of contrast settings in the plugin. This could lead to integrity and availability impacts on the plugin's accessibility configuration. There is no indication of confidentiality impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch addressing this vulnerability was released in version 0.6.2.8; however, it reportedly breaks functionality and the vendor has not provided further updates. Users should evaluate the impact of applying the patch in their environment. Until a stable fix is available, consider restricting Subscriber-level access or higher to trusted users only. Monitor vendor channels for any future updates or official fixes.
CVE-2024-5987: CWE-862 Missing Authorization in vol4ikman WP Accessibility Helper (WAH)
Description
The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-5987 is a missing authorization vulnerability (CWE-862) in the WP Accessibility Helper (WAH) plugin for WordPress. The issue arises from missing capability checks on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions, allowing authenticated users with Subscriber-level privileges or higher to modify or delete contrast settings without proper authorization. This affects all versions up to and including 0.6.2.8. A patch was released in version 0.6.2.8 to address the issue, but it reportedly caused broken functionality and the vendor has not responded to follow-up inquiries.
Potential Impact
The vulnerability allows authenticated users with low-level privileges (Subscriber and above) to perform unauthorized modifications or deletions of contrast settings in the plugin. This could lead to integrity and availability impacts on the plugin's accessibility configuration. There is no indication of confidentiality impact. No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch addressing this vulnerability was released in version 0.6.2.8; however, it reportedly breaks functionality and the vendor has not provided further updates. Users should evaluate the impact of applying the patch in their environment. Until a stable fix is available, consider restricting Subscriber-level access or higher to trusted users only. Monitor vendor channels for any future updates or official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-13T19:25:37.920Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bf8b7ef31ef0b55d31e
Added to database: 2/25/2026, 9:39:04 PM
Last enriched: 4/9/2026, 8:04:23 AM
Last updated: 4/11/2026, 10:15:29 PM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.