Description
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure (potential disclosure of user emails, IDs, and license data)
Action: Apply Patch
AI Analysis

Impact

The Web Accessibility by accessiBe WordPress plugin logs the entire configuration array to the browser console on every public page load when the widget is disabled. This logging occurs without any privilege checks or debug‑mode gating, allowing any visitor to view sensitive data such as email addresses, user IDs, account IDs, and license keys. The exposure is not limited to authenticated users; it is possible for any unauthenticated attacker to retrieve confidential configuration information via the browser console.

Affected Systems

WordPress sites that installed the accessiBe plugin in any version up to and including 2.11. The vulnerability is present in all affected releases, with no distinguishing version among them. The plugin name is Web Accessibility by accessiBe.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is a remote, unauthenticated web attacker who simply visits the site and opens the browser console to inspect logged data. No special network access or credentials are required. Once the page loads, the sensitive data is exposed just by viewing the console output.

Generated by OpenCVE AI on April 21, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the accessiBe plugin to version 2.12 or later, where the console logging is removed or limited to debug mode.
  • If you cannot upgrade immediately, remove or comment out the accessibe_render_js_in_footer() function or the console.log statement from the plugin file to stop the data being logged.
  • As a temporary precaution, enable the widget to prevent the console logging from occurring until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Accessibewp
Accessibewp web Accessibility By Accessibe
Wordpress
Wordpress wordpress
Vendors & Products Accessibewp
Accessibewp web Accessibility By Accessibe
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Title Web Accessibility by accessiBe <= 2.11 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Accessibewp Web Accessibility By Accessibe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:16.141Z

Reserved: 2025-11-13T01:15:54.112Z

Link: CVE-2025-13113

cve-icon Vulnrichment

Updated: 2026-02-19T17:23:09.243Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:30.333

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:00:13Z

Weaknesses