CVE-2025-13113
Sensitive Information Exposure in accessiBe WordPress Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| accessibe | web_accessibility | to 2.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Web Accessibility by accessiBe plugin for WordPress, in all versions up to and including 2.11. It is caused by the function accessibe_render_js_in_footer() which logs the complete plugin options array to the browser console on public pages. This logging happens without restricting the output to privileged users or checking if debug mode is enabled.
As a result, unauthenticated attackers can view sensitive configuration data such as email addresses, accessiBe user IDs, account IDs, and license information through the browser console, even when the widget is disabled.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information exposure. Attackers who are not authenticated can access confidential configuration details including email addresses, user IDs, account IDs, and license information by inspecting the browser console.
Such exposure could potentially be used for targeted attacks, phishing, or unauthorized access attempts, compromising the security and privacy of the affected users or organizations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the accessiBe plugin is logging the complete plugin options array to the browser console on public pages. Specifically, you can open the browser console on a public page where the accessiBe widget is disabled and look for sensitive configuration data such as email addresses, user IDs, account IDs, and license information.
Since the vulnerability involves output to the browser console, detection involves manual inspection rather than network commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the accessiBe plugin to a version later than 2.11 where this issue is fixed.
If an update is not immediately available, disable the accessiBe plugin or ensure that the widget is enabled so that the vulnerable code path that logs sensitive data to the browser console is not executed.
Additionally, review plugin settings to ensure debug mode is disabled and restrict access to privileged users where possible.