CVE-2026-3643 describes a stored cross-site scripting vulnerability in the Accessibly WordPress plugin (versions up to 3.0.3). The plugin exposes REST API endpoints `/otm-ac/v1/update-widget-options` and `/otm-ac/v1/update-app-config` with a permission callback that always returns true, effectively disabling authentication and authorization. The `updateWidgetOptions()` function accepts user JSON input and directly passes it to `AccessiblyOptions::updateAppConfig()`, which stores the data in the WordPress options table without sanitization. The stored `widgetSrc` value is later used as a script URL in `wp_enqueue_script()`, causing execution of attacker-controlled JavaScript on every front-end page load. This vulnerability allows unauthenticated attackers to inject persistent malicious scripts affecting all site visitors.

An unauthenticated attacker can exploit this vulnerability to inject and store arbitrary JavaScript code that executes in the browsers of all visitors to the affected WordPress site. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed in the context of the vulnerable website. The CVSS score of 7.2 (high severity) reflects the network attack vector, lack of required privileges or user interaction, and the potential for confidentiality and integrity impact.

No official patch or remediation has been confirmed at this time. Since the REST API endpoints lack authentication and allow unsafe data storage, site administrators should consider disabling or restricting access to these endpoints if possible. Monitor the vendor advisory for updates and apply any official fixes once available. Until then, avoid using the affected plugin version or remove it if feasible to prevent exploitation.