A missing authorization check in the Debug Log Viewer plugin allows attackers to view sensitive debugging logs. The flaw is an instance of improper access control (CWE-862), which can expose application internals and potentially aid further attacks. The impact is primarily the exfiltration of log information that may contain user data, authentication tokens, or system configuration details, thereby compromising confidentiality and enabling information gathering for more advanced exploits.

The vulnerability affects the Debug Log Viewer plugin developed by Oleksandr Lysyi. Any installation using version 2.0.3 or earlier is at risk; older versions are also in scope, but no specific lower bound is identified.

The CVSS score of 5.4 indicates a moderate severity and the EPSS score of less than 1% suggests a low but non-zero likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers can potentially exploit this flaw by accessing the plugin’s log viewing endpoint, and the absence of proper role checks may allow anonymous or non-administrator users to retrieve logs. Successful exploitation requires network access to the WordPress site and may be easiest for authenticated users or those who can guess the endpoint URL.