Vulnerabilities and security researches foraccessibe accessibe

Feb 27, 2026

CVE, Research URL: CVE-2025-13113
Home page URL: Security reports for Web Accessibility By accessiBe
Application: Web Accessibility By accessiBe
Date: Feb 19, 2026
Research Description: The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Affected versions: max 2.12.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-49920
Home page URL: Security reports for Web Accessibility By accessiBe
Application: Web Accessibility By accessiBe
Date: Oct 22, 2025
Research Description: Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.
Affected versions: max 2.10.
Status: vulnerable

CVE, Research URL: CVE-2025-10375
Home page URL: Security reports for Web Accessibility By accessiBe
Application: Web Accessibility By accessiBe
Date: Oct 11, 2025
Research Description: The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.11.
Status: vulnerable

Feb 26, 2025

CVE, Research URL: CVE-2025-26981
Home page URL: Security reports for Web Accessibility By accessiBe
Application: Web Accessibility By accessiBe
Date: Feb 25, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in accessiBe Web Accessibility By accessiBe allows Reflected XSS. This issue affects Web Accessibility By accessiBe: from n/a through 2.5.
Affected versions: max 2.6.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: 151e736d05eec320b4def08cf3fffb534b42ed58
Home page URL: Security reports for Web Accessibility By accessiBe
Application: Web Accessibility By accessiBe
Date: Jul 27, 2023
Research Description: Web Accessibility By accessiBe [accessibe] < 1.16 Web Accessibility By accessiBe <= 1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 1.16.
Status: vulnerable