cleantalk
Vulnerabilities and Security Researches

One Click Accessibility, CVE-2025-10700

CVE, Research URL

CVE-2025-10700

Home page URL

Security reports for One Click Accessibility

Application

One Click Accessibility

Published on
Oct 16, 2025
Research Description
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the enable_unfiltered_files_upload function. This makes it possible for unauthenticated attackers to enable unfiltered file upload and add svg files to the upload list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 3.8.1.
Status
vulnerable
Previous vulnerability researches
Simple Excel Pricelist for WooCommerce (CVE-2025-12096) , Nov 10, 2025
New vulnerability
Theme Editor (CVE-2025-9890) , Nov 10, 2025
wpForo Forum (CVE-2025-4203) , Nov 10, 2025
wpForo Forum (CVE-2025-11740) , Nov 10, 2025
Estatik Real Estate Plugin (CVE-2025-62963) , Nov 10, 2025
Interactive Content – H5P (CVE-2025-62951) , Nov 10, 2025