CVE-2025-13113 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Web Accessibility by accessiBe plugin for WordPress. The root cause is the function accessibe_render_js_in_footer(), which indiscriminately logs the entire plugin options array to the browser console on public-facing pages. This logging occurs regardless of user privileges or whether the site is in debug mode, making sensitive configuration data visible to any visitor inspecting the browser console. The exposed data includes email addresses, accessiBe user IDs, account IDs, and license information, which could be leveraged by attackers for further reconnaissance, phishing, or social engineering attacks. The vulnerability affects all versions up to and including 2.11, with no authentication or user interaction required for exploitation. While no active exploits have been reported, the ease of access to sensitive data represents a significant privacy risk. The vulnerability is scored 5.3 (medium) on the CVSS 3.1 scale, reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed, but limited impact to confidentiality only, with no integrity or availability consequences. The plugin is widely used to enhance web accessibility compliance, making this vulnerability relevant to many WordPress sites globally.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive configuration data, potentially exposing internal email addresses, user identifiers, and license details. Such information leakage can facilitate targeted phishing campaigns, social engineering, or unauthorized account enumeration. While it does not directly compromise site integrity or availability, the exposure of sensitive data undermines privacy and compliance with data protection regulations such as GDPR. Organizations in sectors with strict data privacy requirements, including government, healthcare, finance, and education, may face reputational damage or regulatory scrutiny if exploited. Additionally, attackers could use the exposed information to craft more convincing attacks or identify high-value targets within an organization. The vulnerability’s presence on public-facing WordPress sites increases the attack surface, especially for organizations relying on accessiBe for accessibility compliance. The medium severity rating indicates a moderate risk that should be addressed promptly to prevent potential escalation or combined attacks.

European organizations should immediately verify if their WordPress sites use the Web Accessibility by accessiBe plugin and identify the installed version. Since no patch links are currently provided, organizations should monitor the vendor’s announcements for an official update addressing this issue. In the interim, a practical mitigation is to disable or remove the accessibe_render_js_in_footer() function’s logging behavior by customizing the plugin code or using WordPress hooks to prevent sensitive data from being output to the browser console. Restricting access to the browser console output via Content Security Policy (CSP) or disabling debug mode site-wide can reduce exposure. Additionally, organizations should audit their public-facing sites for any sensitive information leakage and implement monitoring to detect unusual access patterns or reconnaissance attempts. Educating web administrators about the risks of exposing configuration data and enforcing strict plugin update policies will help prevent similar vulnerabilities. Finally, consider alternative accessibility solutions with better security postures until a fix is available.