cleantalk
Vulnerabilities and Security Researches

WP Accessibility, CVE-2026-2362

CVE, Research URL

CVE-2026-2362

Home page URL

Security reports for WP Accessibility

Application

WP Accessibility

Published on
Feb 27, 2026
Research Description
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the "Long Description UI" setting to be enabled and set to "Link to description."
Affected versions
max 2.3.2.
Status
vulnerable
Previous vulnerability researches
Germanized for WooCommerce (c7f8732ffdd5f3947de85d9aaed3c63d7a44299e) , Jun 07, 2024
Germanized for WooCommerce (CVE-2026-2582) , Apr 14, 2026
New vulnerability
Customer Reviews for WooCommerce (CVE-2026-1316) , Apr 15, 2026
WP Recipe Maker (CVE-2026-1558) , Apr 15, 2026
Page and Post Clone (CVE-2026-2893) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-2589) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-1927) , Apr 15, 2026