Description
The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.
Published: 2026-03-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

This flaw allows unauthenticated users to set a specific cookie named wp_debug_troubleshoot_simulate_user to any numeric user ID, which the plugin accepts without validation and uses to override the current user context. By doing so, an attacker can impersonate any existing user, including those with administrative privileges, and perform privileged actions such as creating new administrators, modifying site content, installing plugins, or taking complete control of the WordPress site.

Affected Systems

Vulnerable installations are those that use the jhimross Debugger & Troubleshooter WordPress plugin in versions 1.3.2 and earlier; no other plugins or WordPress core components are affected by this specific vulnerability.

Risk and Exploitability

Characterized by a CVSS score of 8.8, the vulnerability is high severity and not listed in CISA's KEV catalog. The exploit does not require authentication or complex preparation, as attackers can set the cookie directly through a browser or HTTP requests. Based on the description it is inferred that the likely attack vector is via cookie manipulation, which can be performed by any visitor to the site. The lack of cryptographic checks and lack of authorization means that the exploit can be carried out with minimal effort and can lead to full site compromise.

Generated by OpenCVE AI on March 31, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Debugger & Troubleshooter plugin to version 1.4.0 or later, which adds cryptographic token validation and limits user simulation to administrators only.
  • After updating, clear any existing wp_debug_troubleshoot_simulate_user cookies from browsers and server caches to eliminate legacy values.
  • If the plugin cannot be updated immediately, disable or remove the plugin to prevent privilege escalation until a patch is applied.

Generated by OpenCVE AI on March 31, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Jhimross
Jhimross debugger & Troubleshooter
Wordpress
Wordpress wordpress
Vendors & Products Jhimross
Jhimross debugger & Troubleshooter
Wordpress
Wordpress wordpress

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.
Title Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation
Weaknesses CWE-565
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jhimross Debugger & Troubleshooter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-31T13:35:42.702Z

Reserved: 2026-03-30T09:25:02.996Z

Link: CVE-2026-5130

cve-icon Vulnrichment

Updated: 2026-03-31T13:35:38.221Z

cve-icon NVD

Status : Received

Published: 2026-03-30T23:17:04.177

Modified: 2026-03-30T23:17:04.177

Link: CVE-2026-5130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:39:50Z

Weaknesses