WordPress Plugin Vulnerabilities

WP Accessibility Helper < 0.6.2.9 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

Description

The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.

Affects Plugins

Plugin icon
wp-accessibility-helper
Fixed in 0.6.2.9

References

CVE
CVE-2024-5987
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3beee75-0480-4504-a177-45f8cd32cf36

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
849246a8-4766-4796-8264-14b26102cd84

Timeline

Publicly Published
2024-08-28 (about 1 year ago)
Added
2024-08-28 (about 1 year ago)
Last Updated
2024-08-29 (about 1 year ago)

Other

Published
Title
Published
2026-01-31
Title
Order Tracking <= 3.4.4 - Missing Authorization
Published
2026-01-15
Title
Cost Calculator Builder < 3.6.10 - Missing Authorization to Unauthenticated Payment Status Bypass
Published
2026-01-27
Title
aDirectory < 3.0.4 - Missing Authorization
Published
2025-11-24
Title
Ace Post Type Builder < 2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter
Published
2025-09-09
Title
WP Import – Ultimate CSV XML Importer for WordPress < 7.28 - Missing Authorization to Authenticated (Subscriber+) FTP/SFTP Credential Exposure