PT-2025-42403 · WordPress · Ally – Web Accessibility & Usability

Dmitry Ignatyev

Published

2025-10-16

Updated

2025-10-16

CVE-2025-10700

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Ally – Web Accessibility & Usability plugin for WordPress versions prior to 3.8.1

Description The Ally – Web Accessibility & Usability plugin for WordPress is susceptible to Cross-Site Request Forgery. This is caused by inadequate nonce validation within the enable unfiltered files upload function. Successful exploitation allows unauthenticated attackers to enable unfiltered file uploads and add Scalable Vector Graphics (SVG) files to the upload list by deceiving a site administrator into performing an action, such as clicking a malicious link.

Recommendations Update the Ally – Web Accessibility & Usability plugin to version 3.8.1 or later.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2025-10700

Affected Products

Ally – Web Accessibility & Usability

PT-2025-42403 · WordPress · Ally – Web Accessibility & Usability

CVE-2025-10700

Weakness Enumeration

Related Identifiers

Affected Products

References · 7