CVE-2025-13113
Awaiting Analysis Awaiting Analysis - Queue
Sensitive Information Exposure in accessiBe WordPress Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13113
EUVD
EUVD-2025-207881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
accessibe web_accessibility to 2.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Web Accessibility by accessiBe plugin for WordPress, in all versions up to and including 2.11. It is caused by the function accessibe_render_js_in_footer() which logs the complete plugin options array to the browser console on public pages. This logging happens without restricting the output to privileged users or checking if debug mode is enabled.

As a result, unauthenticated attackers can view sensitive configuration data such as email addresses, accessiBe user IDs, account IDs, and license information through the browser console, even when the widget is disabled.

Impact Analysis

This vulnerability can lead to sensitive information exposure. Attackers who are not authenticated can access confidential configuration details including email addresses, user IDs, account IDs, and license information by inspecting the browser console.

Such exposure could potentially be used for targeted attacks, phishing, or unauthorized access attempts, compromising the security and privacy of the affected users or organizations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the accessiBe plugin is logging the complete plugin options array to the browser console on public pages. Specifically, you can open the browser console on a public page where the accessiBe widget is disabled and look for sensitive configuration data such as email addresses, user IDs, account IDs, and license information.

Since the vulnerability involves output to the browser console, detection involves manual inspection rather than network commands.

Mitigation Strategies

Immediate mitigation steps include updating the accessiBe plugin to a version later than 2.11 where this issue is fixed.

If an update is not immediately available, disable the accessiBe plugin or ensure that the widget is enabled so that the vulnerable code path that logs sensitive data to the browser console is not executed.

Additionally, review plugin settings to ensure debug mode is disabled and restrict access to privileged users where possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13113. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart