What the vulnerability does
01Description
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Explanation of Vulnerability in Simple Terms
02Summary
Web Accessibility by accessiBe versions 2.11 and earlier expose sensitive information that can be accessed over the network without authentication. An attacker can read this data directly, though the specific information exposed depends on the plugin's configuration and data storage. Update to a version newer than 2.11 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information exposed by the plugin without needing to log in.
Potential impact on your site
04Site Impact
Sensitive data may be visible to unauthenticated visitors; exact impact depends on what information the plugin stores.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated
