Description
The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-32613 is a duplicate of this CVE.
Published: 2025-04-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Upgrade Plugin
AI Analysis

Impact

The Debug Log Manager plugin for WordPress contains a stored Cross‑Site Scripting vulnerability in its auto‑refresh debug log feature. Because input is not properly validated or escaped before being stored, an unauthenticated attacker can inject arbitrary web scripts that will be executed whenever a user views an injected page. This flaw is associated with CWE‑79.

Affected Systems

Any WordPress site that has installed the Debug Log Manager plugin by qriouslad and is running version 2.3.4 or earlier is affected. The vulnerability is not limited by user role; any visitor to a page that triggers the auto‑refresh debug log can be exposed to the injected script.

Risk and Exploitability

The CVSS score of 7.2 denotes high severity, while the EPSS score of less than 1% indicates a low probability of current exploitation. The flaw is not listed in CISA KEV. An attacker can exploit the vulnerability by triggering the auto‑refresh debug log on an unauthenticated page, causing the injected script to run for all users who view that page.

Generated by OpenCVE AI on April 21, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Debug Log Manager to a version newer than 2.3.4 that removes the XSS flaw.
  • If a newer version is not immediately available, uninstall the plugin to eliminate the risk entirely.
  • If removal is not possible and the plugin is needed for critical functionality, consider disabling the auto‑refresh debug log feature as a temporary measure to prevent script injection.

Generated by OpenCVE AI on April 21, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11932 The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2025-32613 is a duplicate of this CVE.

Mon, 21 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 19 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Debug Log Manager <= 2.3.4 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:36.556Z

Reserved: 2025-04-18T16:23:58.756Z

Link: CVE-2025-3809

cve-icon Vulnrichment

Updated: 2025-04-21T02:39:00.644Z

cve-icon NVD

Status : Deferred

Published: 2025-04-19T06:15:19.960

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')