CVE-2022-41643 - Admin+ Stored XSS in WordPress Accessibility Plugin <= 1..3 – Full Breakdown, Exploit, and Mitigation

---

Introduction

In late 2022, a significant vulnerability was identified in the popular Accessibility plugin for WordPress (versions up to and including 1..3). This vulnerability, assigned CVE-2022-41643, allowed any logged-in user with administrator (or higher) privileges to inject malicious JavaScript into the WordPress site, leading to what’s known as a Stored Cross-Site Scripting (XSS) attack. In this post, we’ll break down how the flaw works, see code examples, walkthrough a proof-of-concept, and discuss how admins can protect themselves.

What is the Accessibility Plugin?

The Accessibility plugin for WordPress is meant to help site owners make their websites friendlier for people with disabilities—by providing tools to adjust contrast, font size, and other visual elements.

Plugin page: https://wordpress.org/plugins/accessibility/

What is a Stored XSS (Cross-Site Scripting) Vulnerability?

A Stored XSS vulnerability happens when a website allows a user to inject malicious script—often JavaScript—which is then served and runs in the browser of anyone viewing the infected page. Unlike Reflected XSS, the malicious code sits (or is "stored") in the site's database and impacts everyone who views the content where it was stored.

References

- NVD – CVE-2022-41643
- WPScan Report
- Plugin Page

How the Exploit Works

The plugin’s settings page allowed an admin to update widget text (e.g., the content shown in the accessibility toolbar) without proper sanitization. The code failed to sanitize or encode user input before saving it to the WordPress database.

This meant that if an admin edited a plugin setting and added something like

<script>alert('XSS by admin!')</script>

…the script would be saved in the database, and rendered as-is on every page (depending how the widget is placed). Any site visitor, including other admins (or even anonymous users if the output is public), would have their browser execute this script.

Let’s look at a simplified version of the code

if (isset($_POST['a11y_widget_text'])) {
    update_option('a11y_widget_text', $_POST['a11y_widget_text']);
}

$a11y_text = get_option('a11y_widget_text', 'Default text');
echo $a11y_text;

$_POST['a11y_widget_text'] is directly stored in the database.

- echo $a11y_text; outputs the text to the page with no escaping, which means HTML/JS is executed as part of the page.

As a logged-in admin, visit the plugin’s settings page and set the "widget text" field to

<script>alert('Hacked by admin')</script>

Go to Accessibility’s settings page.

3. In any customizable input (often "Widget Text"), insert <script>alert('Hacked by admin')</script>.

Visit a page where the Accessibility widget or feature is displayed.

Result:  
All visitors will see an alert box pop up with the injected message. Someone could easily insert something far more dangerous, such as code to steal cookies, redirect traffic, or load malicious content.

Potential Impact

- Limited to administrator (or higher) roles: Lower-level users can NOT use this to attack, but if an admin’s account is compromised in some way, an attacker can use this to set up post-compromise persistence or further attacks.
- All site visitors at risk: Anyone viewing the page (including other site admins and regular users) could be affected.
- Malware or phishing delivery: After exploiting this, attackers can inject malicious scripts, phishing forms, or redirect code site-wide.

Real-World Risks

Even though the bug requires admin+ access, XSS is often used in privilege escalation chains — for example:

Shared admin accounts or password reuse.

And once stored, the XSS is persistent, potentially allowing broad exploitation down the road.


## How To Fix / Mitigate

1. Update the Plugin  
First, check if the plugin has a security update. As of June 2024, there is no public fix, so consider the following mitigations.

2. Manually sanitize output

Add esc_html() or similar sanitization functions when rendering user-customizable content

$a11y_text = get_option('a11y_widget_text', 'Default text');
echo esc_html($a11y_text);

3. Use a Security Plugin
Install plugins like Wordfence or Sucuri, which may help block common exploits.

4. Restrict Administrator Access
Only grant admin access to trusted users. Regularly audit admin users.

5. Monitor For IOC
Check your WordPress database for <script> tags in plugin settings.

Conclusion

CVE-2022-41643 is a reminder that even plugins focused on accessibility and best practices can have dangerous flaws, especially if user input isn’t handled correctly. Though restricted to admin+ roles, stored XSS in a plugin is always a high-risk scenario. Always sanitize input, validate output, and update critical plugins when security issues are found.

Links

- Official Plugin Page
- Full CVE details (NVD)
- WPScan Advisory


*If you found this useful, follow for more deep dives into WordPress security!*

Timeline

Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 17:46:00 UTC