CVE-2025-13113 Overview
The Web Accessibility by accessiBe plugin for WordPress contains a Sensitive Information Exposure vulnerability affecting all versions up to and including version 2.11. The vulnerability exists in the accessibe_render_js_in_footer() function, which logs the complete plugin options array to the browser console on public pages without restricting output to privileged users or verifying debug mode status. This allows unauthenticated attackers to view sensitive configuration data through the browser's developer console when the widget is disabled.
Critical Impact
Unauthenticated attackers can access sensitive configuration data including email addresses, accessiBe user IDs, account IDs, and license information by simply viewing the browser console on any public page where the vulnerable plugin is installed.
Affected Products
- Web Accessibility by accessiBe WordPress Plugin versions ≤ 2.11
Discovery Timeline
- 2026-02-19 - CVE-2025-13113 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-13113
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in improper handling of debug output in a production environment. The accessibe_render_js_in_footer() function outputs the entire plugin configuration array to the JavaScript console without implementing proper access controls or environment checks.
When the accessiBe widget is disabled, the plugin still executes this function on public-facing pages, inadvertently exposing internal configuration details to any visitor who opens their browser's developer console. This represents a significant information disclosure risk as it exposes account-level details that could be leveraged for targeted attacks against the WordPress site owner or the accessiBe service.
Root Cause
The root cause is insufficient access control in the debug logging implementation. The function fails to verify whether the current user has appropriate privileges before outputting sensitive configuration data and does not check whether debug mode is enabled. The plugin options array, which contains sensitive account information, is unconditionally logged to the console regardless of the user context or environment settings.
Attack Vector
The attack vector is network-based and requires no authentication, privileges, or user interaction. An attacker simply needs to:
- Navigate to any public page on a WordPress site using the vulnerable plugin
- Open the browser's developer console (typically F12 or right-click → Inspect → Console)
- Observe the logged plugin options containing sensitive data
This information exposure occurs automatically when the accessiBe widget is disabled, making it a passive attack that leaves minimal traces and requires no specialized tools or expertise.
Detection Methods for CVE-2025-13113
Indicators of Compromise
- Unusual access patterns to WordPress sites with accessiBe plugin installed
- Monitoring logs for repeated visits followed by no further page interactions (indicating console inspection)
- Evidence of reconnaissance activities targeting exposed email addresses or account information
Detection Strategies
- Review browser console output on public pages to verify if sensitive plugin configuration is being logged
- Audit installed WordPress plugins for versions of Web Accessibility by accessiBe at or below 2.11
- Implement Content Security Policy reporting to detect unusual JavaScript console activity
- Monitor for phishing attempts or account compromise targeting exposed email addresses
Monitoring Recommendations
- Enable WordPress activity logging to track plugin behavior and access patterns
- Configure web application firewall (WAF) rules to monitor for potential reconnaissance activity
- Set up alerts for any changes to the accessiBe plugin configuration
- Regularly audit JavaScript console output on production sites as part of security testing
How to Mitigate CVE-2025-13113
Immediate Actions Required
- Update the Web Accessibility by accessiBe plugin to a patched version immediately
- Review exposed information (email addresses, account IDs, license information) for potential misuse
- Consider temporarily disabling the plugin until an update can be applied
- Rotate any potentially exposed credentials or API keys associated with the accessiBe service
Patch Information
A patch is available through the WordPress Plugin Repository. Site administrators should update to the latest version of the plugin that addresses this vulnerability. The fix removes the unconditional console logging behavior and implements proper access controls.
For detailed vulnerability information, refer to the Wordfence Vulnerability Report.
Workarounds
- Temporarily deactivate the Web Accessibility by accessiBe plugin until a patched version is installed
- Enable the accessiBe widget if disabling the plugin is not an option, as the vulnerability is triggered when the widget is disabled
- Implement a Web Application Firewall (WAF) rule to filter sensitive output from JavaScript console logging
- Consider using server-side filtering to strip debug output from production page responses
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
