Description
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths.
Published: 2025-12-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The SSP Debug plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 1.0.0. The flaw occurs because the plugin writes PHP error logs to a predictable, web‑accessible directory (wp-content/uploads/ssp-debug/) without any access controls. The log file may contain full URLs, client IP addresses, User‑Agent strings, WordPress user IDs, and internal filesystem paths, which constitutes a CWE‑200 vulnerability.

Affected Systems

WordPress sites that have installed the SSP Debug plugin by jimmyredline80, versions up to 1.0.0. The vulnerability is present in every release up to and including the 1.0.0 tag and is not limited to any particular WordPress core version or configuration.

Risk and Exploitability

Based on the description, it is inferred that the primary attack vector is a simple unauthenticated HTTP GET request to the predictable log file location (wp-content/uploads/ssp-debug/ssp-debug.log). The CVSS score of 5.3 indicates a moderate severity for information disclosure, and the EPSS score of less than 1% suggests that exploitation is considered rare at the moment. The vulnerability is not listed in the CISA KEV catalog. The risk is principally the exposure of debugging data that could provide an adversary with insights into site structure, user identities, and potentially aid in planning further attacks.

Generated by OpenCVE AI on April 22, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SSP Debug to a version newer than 1.0.0 or uninstall the plugin if it is no longer required.
  • Add a .htaccess rule or equivalent web server configuration to deny public access to the /wp-content/uploads/ssp-debug/ directory, for example using "Deny from all" or "Require all denied".
  • Disable PHP error logging for the plugin or redirect logs to a non‑public directory and enforce proper file permissions.

Generated by OpenCVE AI on April 22, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths.
Title SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:06.482Z

Reserved: 2025-11-20T21:57:46.360Z

Link: CVE-2025-13494

cve-icon Vulnrichment

Updated: 2025-12-05T15:50:47.279Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T05:16:58.213

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses