Description
The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-09-17
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling code execution
Action: Patch
AI Analysis

Impact

The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion through the enabled_loggers parameter. Administrators and users with higher privileges can inject arbitrary .php files, causing the server to execute any PHP code contained within those files. This allows attackers to bypass access controls, read sensitive data, or fully compromise the site by running malicious scripts.

Affected Systems

WordPress sites that have the eskapism Developer Loggers for Simple History plugin of version 0.5 or earlier and for which the enabled_loggers feature is active are vulnerable to this Local File Inclusion vulnerability when accessed by users with Administrator-level privileges or higher.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while the EPSS score of less than 1% shows that the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Because it requires authenticated access with Administrator-level privileges, the attack vector is local to the site’s administrative interface, specifically the enabled_loggers parameter in the plugin’s settings.

Generated by OpenCVE AI on April 21, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 0.5 once the vendor releases a fix
  • If an upgrade is not available, disable the enabled_loggers feature or remove the parameter from the plugin’s configuration code
  • Restrict file uploads to non‑PHP types and enforce strict file permissions on the web‑root directory
  • Audit the plugin source for other potential inclusion points and ensure that all user‑controlled inputs are properly sanitized

Generated by OpenCVE AI on April 21, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29674 The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Eskapism
Eskapism developer Loggers For Simple History Plugin
Wordpress
Wordpress wordpress
Vendors & Products Eskapism
Eskapism developer Loggers For Simple History Plugin
Wordpress
Wordpress wordpress

Wed, 17 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Developer Loggers for Simple History <= 0.5 - Authenticated (Admin+) Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Eskapism Developer Loggers For Simple History Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:32.498Z

Reserved: 2025-09-05T18:55:18.588Z

Link: CVE-2025-10050

cve-icon Vulnrichment

Updated: 2025-09-17T13:10:25.512Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T02:15:32.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:15:26Z

Weaknesses