CVE-2025-13309: CWE-862 Missing Authorization in codeconfig Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance
The Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin’s global accessibility settings.
AI Analysis
Technical Summary
The Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance WordPress plugin suffers from an authorization bypass vulnerability (CWE-862) in versions up to and including 1.0.2. The plugin fails to properly verify that a user is authorized to perform certain actions, enabling authenticated users with subscriber-level privileges or higher to modify global accessibility settings. The CVSS 3.1 base score is 4.3 (medium severity) with network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact.
Potential Impact
Authenticated users with subscriber-level access or higher can modify global accessibility settings of the plugin without proper authorization. This could lead to unauthorized changes in accessibility configurations, potentially affecting website behavior or compliance with accessibility standards. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level user capabilities where possible and monitor for unauthorized changes to accessibility settings. Avoid granting unnecessary privileges to users. Follow vendor updates for a patch or official mitigation.
CVE-2025-13309: CWE-862 Missing Authorization in codeconfig Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance
Description
The Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers with subscriber-level access and above to modify the plugin’s global accessibility settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Accessiy by CodeConfig – Accessibility Widgets for ADA, EAA & WCAG Compliance WordPress plugin suffers from an authorization bypass vulnerability (CWE-862) in versions up to and including 1.0.2. The plugin fails to properly verify that a user is authorized to perform certain actions, enabling authenticated users with subscriber-level privileges or higher to modify global accessibility settings. The CVSS 3.1 base score is 4.3 (medium severity) with network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, no confidentiality or availability impact, and low integrity impact.
Potential Impact
Authenticated users with subscriber-level access or higher can modify global accessibility settings of the plugin without proper authorization. This could lead to unauthorized changes in accessibility configurations, potentially affecting website behavior or compliance with accessibility standards. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level user capabilities where possible and monitor for unauthorized changes to accessibility settings. Avoid granting unnecessary privileges to users. Follow vendor updates for a patch or official mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-17T14:45:29.669Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6933c71e11163305efef3dc2
Added to database: 12/6/2025, 6:03:10 AM
Last enriched: 4/9/2026, 9:29:52 AM
Last updated: 5/10/2026, 1:24:18 AM
Views: 96
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.