CVE-2026-2362 is a stored DOM-based cross-site scripting vulnerability identified in the WP Accessibility plugin for WordPress, specifically affecting all versions up to and including 2.3.1. The vulnerability stems from the plugin's handling of the 'alt' attribute of images within the Long Description UI feature. The plugin's JavaScript code retrieves the 'alt' attribute using getAttribute() and directly concatenates this value into innerHTML and insertAdjacentHTML DOM manipulation calls without adequate sanitization or escaping. This unsafe practice allows an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. Exploitation requires that the Long Description UI setting be enabled and configured to 'Link to description,' which controls how image descriptions are rendered. The vulnerability is notable because it leverages stored DOM-based XSS, meaning the malicious payload is stored persistently in the WordPress database and executed dynamically in the DOM. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, privileges required, no user interaction, and a scope change due to the potential impact on other users. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. However, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors and public-facing content.

The primary impact of CVE-2026-2362 is on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information such as authentication tokens or personal data, and unauthorized actions performed on behalf of users. Since the vulnerability requires Contributor-level access, attackers must first compromise or have legitimate access to an account with such privileges, which limits the attack surface but does not eliminate risk. The stored nature of the XSS means that once injected, the malicious script can affect any user who views the compromised content, including administrators and site visitors. This can damage the reputation of organizations, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Given the widespread use of WordPress and the WP Accessibility plugin, organizations worldwide that rely on this plugin for accessibility compliance or enhancements are at risk. The vulnerability does not affect availability, so denial-of-service is not a primary concern. However, the scope change in CVSS indicates that the impact extends beyond the attacker’s privileges to other users, increasing the severity of the threat.

To mitigate CVE-2026-2362, organizations should first verify if the WP Accessibility plugin version 2.3.1 or earlier is in use and whether the Long Description UI feature is enabled and set to 'Link to description.' Immediate mitigation steps include disabling the Long Description UI feature or changing its setting to prevent the vulnerable code path from executing. If a patched version becomes available, promptly apply the update to ensure proper sanitization of the 'alt' attribute. In the absence of an official patch, site administrators can implement custom input validation or sanitization on the 'alt' attribute fields to strip or encode potentially malicious scripts before storage. Additionally, restricting Contributor-level access to trusted users reduces the risk of exploitation. Employing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the plugin’s functionality can provide an additional layer of defense. Regularly auditing user-generated content for injected scripts and monitoring logs for unusual activity related to the plugin can help detect exploitation attempts early. Finally, educating content contributors about safe input practices and the risks of XSS can reduce inadvertent introduction of malicious content.