CVE-2025-13113
📋 TL;DR
The Web Accessibility by accessiBe WordPress plugin exposes sensitive configuration data to unauthenticated users via browser console logging. This vulnerability affects all versions up to 2.11 and allows attackers to view email addresses, user IDs, account IDs, and license information when the widget is disabled.
💻 Affected Systems
- Web Accessibility by accessiBe WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers harvest sensitive configuration data including license keys and account credentials, leading to account takeover, license abuse, or targeted phishing campaigns.
Likely Case
Unauthenticated attackers collect exposed email addresses and account information for spam, reconnaissance, or credential stuffing attacks.
If Mitigated
With proper access controls and debug mode disabled, no sensitive data is exposed to unauthenticated users.
🎯 Exploit Status
Exploitation requires only viewing browser console on affected pages with disabled widget.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.12
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399416%40accessibe&new=3399416%40accessibe&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Web Accessibility by accessiBe'. 4. Click 'Update Now' if available, or download version 2.12+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate accessibe
Enable Widget
allKeep the accessibility widget enabled to prevent exposure.
🧯 If You Can't Patch
- Remove or disable the accessiBe plugin entirely
- Implement web application firewall rules to block access to plugin files
🔍 How to Verify
Check if Vulnerable:
Visit any public page with disabled accessiBe widget, open browser console (F12), check for exposed plugin options containing sensitive data.Check Version:
wp plugin get accessibe --field=versionVerify Fix Applied:
After updating to 2.12+, verify browser console no longer shows plugin options array on public pages.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to pages with disabled accessibility widget
- Multiple requests to plugin files from unauthenticated users
Network Indicators:
- HTTP requests to /wp-content/plugins/accessibe/ files without authentication
SIEM Query:
source="web_logs" AND uri="/wp-content/plugins/accessibe/" AND status=200 AND user_agent NOT CONTAINS "bot"