Description
The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Debug Log Manager plugin for WordPress allows unauthenticated attackers to craft arbitrary entries in the site's debug log by invoking the log_js_errors AJAX action and submitting malicious values for message, script, lineNo, columnNo, and pageUrl. The attacker can therefore fabricate error records that obscure true incidents and mislead administrators relying on log information for monitoring and triage.

Affected Systems

WordPress sites using the Debug Log Manager – Conveniently Monitor and Inspect Errors plugin, any release up to and including 2.5.0. The vulnerability exists only when JavaScript error logging is enabled, which is the default when the feature is activated.

Risk and Exploitability

The vulnerability scores a CVSS of 5.3, indicating moderate severity, and has no EPSS score available to indicate exploitation probability. It is not listed in the CISA KEV catalog. Attackers can trigger the flaw from any unauthenticated user when the plugin is enabled, as the AJAX handler is registered for all visitors and the nonce required for the request is rendered publicly on every front‑end page that has error logging active. Consequently, remote access to the site is sufficient to inject fabricated log entries, a risk that can be mitigated by an appropriate update or configuration change.

Generated by OpenCVE AI on June 6, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Debug Log Manager plugin to a version newer than 2.5.0 where the log_js_errors AJAX handler is protected or removed
  • If an upgrade is not immediately possible, disable the plugin's JavaScript error logging feature so that the nonce is no longer exposed and the AJAX action cannot be accessed
  • Alternatively, block or delete the log_js_errors AJAX endpoint via a web‑application firewall or .htaccess rule to prevent unauthenticated requests from reaching the vulnerable handler

Generated by OpenCVE AI on June 6, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.
Title Debug Log Manager <= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action
Weaknesses CWE-117
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:41:53.158Z

Reserved: 2026-05-19T14:30:12.804Z

Link: CVE-2026-9016

cve-icon Vulnrichment

Updated: 2026-06-06T11:41:48.424Z

cve-icon NVD

Status : Received

Published: 2026-06-06T05:16:29.657

Modified: 2026-06-06T05:16:29.657

Link: CVE-2026-9016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T06:30:14Z

Weaknesses