CVE-2026-9015 is an authorization bypass vulnerability (CWE-862) in the Equalize Digital Accessibility Checker plugin for WordPress, affecting all versions up to and including 1.42.0. The plugin fails to properly verify user authorization before allowing modifications to accessibility issue ignore states, reasons, and comments. Authenticated attackers with subscriber-level privileges can exploit this flaw to alter accessibility audit data across the entire site, including bulk changes when the 'largeBatch=true' parameter is used. This undermines the reliability of accessibility compliance reporting by enabling unauthorized users to hide or dismiss findings beyond their permission scope.

The vulnerability allows authenticated users with low-level privileges to manipulate accessibility audit data, specifically the ignore state, reason, and comments of accessibility issues. This can corrupt the audit integrity by hiding or dismissing findings that should not be ignored, potentially leading to non-compliance with accessibility standards such as WCAG, ADA, EAA, and Section 508. There is no indication of confidentiality or availability impact. The CVSS score is 4.3 (medium severity), reflecting limited impact confined to integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch information is provided at this time. Until a patch is available, restrict subscriber-level user permissions where possible and monitor for unauthorized changes to accessibility audit data. Avoid granting unnecessary authenticated access to the plugin's modification functions.