Attack Vectors

Web Accessibility by accessiBe (slug: accessibe) is affected by a Medium severity issue (CVSS 5.3) tracked as CVE-2025-13113. The exposure occurs on public-facing pages, meaning a visitor does not need to log in to potentially access the leaked information.

The vulnerability is triggered when the plugin outputs and logs the complete plugin options array to the browser console on public pages. Because this output is not limited to privileged users and does not require a debug mode check, an unauthenticated attacker (or any site visitor) could inspect the browser console and view the data.

This exposure is noted to be visible via the browser console when the accessiBe widget is disabled, making it easy to miss in routine QA testing because the widget itself may not appear on the page.

Security Weakness

The core weakness is unauthenticated sensitive information exposure caused by the accessibe_render_js_in_footer() function logging the plugin’s full configuration (options) to the browser console on public pages. This output is not restricted to admins or other privileged roles and is not gated behind a debug-only condition.

As a result, potentially sensitive configuration data can be disclosed, including email addresses, accessiBe user IDs, account IDs, and license information. Even if this information does not directly grant access to your systems, it can still be valuable to attackers for targeting, social engineering, account enumeration, and vendor-related fraud.

Affected versions include all versions up to and including 2.11. The recommended remediation is to update to version 2.12 or newer, which is identified as patched.

Technical or Business Impacts

Brand and trust risk: When configuration details (such as emails and account identifiers) are exposed on public pages, it increases the likelihood of targeted phishing and impersonation attempts against marketing, finance, and compliance stakeholders. These campaigns often reference real vendor details to appear credible.

Compliance and privacy exposure: If exposed email addresses or identifiers are considered personal or sensitive under your internal policies or regulatory frameworks, this may create reporting obligations or audit findings—even if no direct system compromise occurs.

Commercial and operational risk: Disclosure of license and account information can lead to vendor-account probing or fraudulent requests (for example, “renewal” outreach or billing redirection attempts) that create avoidable time and financial loss for finance and operations teams.

Recommended action: Treat this as a Medium severity issue with meaningful business risk. Update Web Accessibility by accessiBe to 2.12+ promptly, confirm the site no longer logs plugin options to the browser console, and review whether any exposed email addresses should be monitored for phishing or unusual outreach.

Similar Attacks

Publicly accessible information disclosures are frequently used to fuel targeted phishing and fraud. Examples of real-world incidents and related vulnerability patterns include:

Imperva: Data Exposure Overview (background on how exposed data is used by attackers)

Microsoft Security Blog: Phishing campaigns impersonating login pages (illustrates how attackers use contextual details to increase success rates)

OWASP: Information Exposure Through Debug Information (common pattern where debug output leaks sensitive details)