Plugin Name	WP Accessibility
Type of Vulnerability	Cross-Site Scripting (XSS)
CVE Number	CVE-2026-2362
Urgency	Low
CVE Publish Date	2026-02-26
Source URL	CVE-2026-2362

Authenticated Contributor Stored DOM-Based XSS in WP Accessibility (≤2.3.1) — What Site Owners Must Know and How to Protect WordPress Right Now

Summary: A stored, DOM-based cross-site scripting vulnerability affecting the WP Accessibility plugin (versions up to and including 2.3.1) was disclosed and patched in 2.3.2. The flaw permits an authenticated contributor-level user to store a crafted payload in image alt text that can later be interpreted by client-side JavaScript and executed in other users’ browsers. This article — written in the practical, direct tone of a Hong Kong security expert — explains the vulnerability, who’s at risk, how to detect it, and concrete mitigations you can apply immediately.

Quick facts

Affected software: WP Accessibility plugin (WordPress), versions ≤ 2.3.1
Patched in: 2.3.2
Vulnerability type: Stored, DOM-based Cross-Site Scripting (XSS)
CVE: CVE-2026-2362
Required privilege for exploitation: Authenticated Contributor (or higher)
CVSS-ish impact: Moderate (public references evaluate around 6.5)
Primary risk: arbitrary JavaScript execution in victims’ browsers (session theft, CSRF-like privilege misuse, defacement, etc.)

How this vulnerability works (technical deep dive)

DOM-based XSS occurs when untrusted data stored server-side is later used insecurely by client-side JavaScript so that the browser treats it as executable code. Stored XSS means the payload persists (for example, in media metadata), and DOM-based indicates the execution happens in the browser because the plugin’s JavaScript inserts the stored data into the DOM using unsafe methods like innerHTML or string concatenation.

Likely sequence for this WP Accessibility issue:

Contributor-level users can set or edit image alt text (a normal feature).
The plugin stores the alt text in attachment metadata or post meta without sufficient sanitization/escaping.
A client-side routine later reads that value and constructs DOM markup insecurely — e.g.:

element.innerHTML = '';

If altValue contains quotes, angle brackets or inline HTML (for example a payload that closes the attribute and adds onerror=”…”), the resulting HTML may include an injected event handler or script. When a higher-privileged user or visitor loads the page and plugin JS runs, the injected JavaScript executes in their context — producing XSS.

Root causes:

Insufficient server-side sanitization for content supplied by contributor-level users.
Unsafe client-side DOM insertion (innerHTML/string concatenation) without escaping.
Trust-boundary failures: data from low-privileged users treated as safe in contexts where it is not.

Realistic exploitation scenarios and impact

This vulnerability is practical and dangerous on many multi-author WordPress sites (magazines, membership portals, LMS, community blogs).

Example attack flow:

An attacker with a contributor account uploads an image and sets the alt text to a crafted payload; the payload is saved in attachment metadata.
When an admin/editor or site visitor views a page where the plugin’s JS renders that image (or when an admin screen loads), the payload executes in their browser because the plugin used unsafe DOM methods.
Attacker JS can attempt session theft, initiate actions on behalf of the user, display phishing overlays, or persist defacements.

Why this is serious in practice:

Contributor accounts are commonly available or created with minimal review.
Stored payloads execute for any user who views the affected page, enabling targeting of admins and editors.
Post-exploitation lateral movement and persistence become easier once privileged users are compromised.

Who is at risk?

Sites running WP Accessibility plugin version 2.3.1 or earlier.
Sites that allow contributors to upload media (many WordPress defaults permit this).
Sites where admins/editors regularly view pages rendering images managed by the plugin.
Sites without layered protections: WAF, CSP, strict role upload restrictions, or careful sanitization of metadata.

How to detect if your site is affected

Verify both plugin version and the stored metadata. Do these checks locally or on staging; avoid probing production with malicious inputs.

Check plugin version:
- WP admin: Plugins > Installed Plugins → WP Accessibility — confirm version is 2.3.2 or later.
- WP-CLI: wp plugin get wp-accessibility --field=version

Search attachment metadata for suspicious strings:

WP-CLI (recommended for safety):

wp post list --post_type=attachment --format=ids
# Then, for each ID:
wp post meta get  _wp_attachment_metadata

SQL (run only with backups and caution):

SELECT post_id, meta_value
FROM wp_postmeta
WHERE meta_key = '_wp_attachment_metadata'
  AND (meta_value LIKE '%onerror%' OR meta_value LIKE '%


Search alt text fields:
SELECT ID, post_title, post_excerpt
FROM wp_posts
WHERE post_type = 'attachment'
  AND (post_excerpt LIKE '%onerror%' OR post_excerpt LIKE '%


Inspect output in the browser:

Open devtools on pages that render images through the plugin. Look for HTML strings built by innerHTML or unexpected onerror attributes or inline 
			
				
			
					
							
			
			
			





		
		
					
				       
    
  
  
 
 
    
  Review My Order
 0 
    
 
    Suggested for you
    
   
 
 
   
 
     Subtotal
 Taxes & shipping calculated at checkout
 
   
 
     Checkout  
 
 
 
 
 
  
 
      
 0 
 














































Notifications

        
        
        


        
        

    
            
            English
            
                                    Chinese (Hong Kong)                                    Chinese (China)                                    Spanish                                    Hindi                                    French