MEDIUM 5.3

CVE-2026-9016: Debug Log Manager WordPress Plugin Log Injection Vulnerability

A WordPress plugin called Debug Log Manager allows website visitors—including those not logged in—to write fake error messages directly into the site's debug log. The plugin publishes a security token publicly in every page's HTML code, defeating its own authorization checks. An attacker can exploit this to flood the log with fabricated entries, making it harder for administrators to spot real problems and potentially covering up malicious activity. This only affects sites that have the plugin's JavaScript error logging feature enabled.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-117
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Debug Log Manager plugin registers an AJAX handler (`log_js_errors()`) for unauthenticated requests via the `wp_ajax_nopriv_log_js_errors` hook. While a nonce check is present, the nonce is publicly disclosed to all users through `wp_localize_script()` whenever JavaScript error logging is active, rendering the nonce useless as an authorization control. Attackers can craft POST requests to the AJAX endpoint, injecting arbitrary values into the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` parameters. These values are written directly into the WordPress debug log without proper output neutralization (CWE-117), allowing log spoofing. The vulnerability chain combines weak access control, public credential exposure, and insufficient input validation.

Business impact

Log poisoning can severely degrade incident response capabilities. Security teams and administrators rely on debug logs to identify breaches, performance issues, and attacks. If an attacker floods logs with noise, legitimate warnings become buried or dismissed, delaying detection of real compromise. Additionally, spoofed error records can mislead forensic analysis, creating false narratives about system behavior and complicating root-cause investigations. The integrity of your audit trail—a foundational control for compliance—is compromised.

Affected systems

The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin in all versions up to and including 2.5.0 is affected. Only WordPress sites running this plugin with JavaScript error logging explicitly enabled are at risk. Sites with the plugin installed but error logging disabled are not vulnerable, as the public nonce is not published in such configurations.

Exploitability

Exploitability is straightforward. The nonce is embedded in plain text in every front-end page HTML and does not expire within a single page view. No user interaction is required beyond the attacker sending a simple AJAX POST request. An attacker with network access (local or remote) can repeatedly forge entries. However, the attack requires the error logging feature to be active, which limits the absolute scope of exposure. Once enabled, the vulnerability requires no special timing, payload obfuscation, or user cooperation.

Remediation

Update the Debug Log Manager plugin to a patched version released after 2.5.0 (verify the exact version number against the plugin vendor's advisory). If an update is not yet available, disable JavaScript error logging in the plugin's settings to stop publishing the nonce into page HTML. For defense-in-depth, review debug log records for suspicious entries (timestamps clustering outside normal activity windows, errors from unfamiliar scripts or pages), and consider relocating debug logs outside the web root or restricting log file permissions to admin access only.

Patch guidance

Check the plugin vendor's release notes and security advisory for the patched version addressing CVE-2026-9016. Apply the update via the WordPress admin dashboard (Plugins > Installed Plugins > Debug Log Manager > Update) or via WP-CLI using `wp plugin update debug-log-manager`. After patching, verify that the version number in Plugins > Installed Plugins reflects the new version, and confirm in your site's page HTML (view source) that the debug logging nonce is no longer present if you disable the logging feature or rely on the vendor's fix.

Detection guidance

Search your WordPress debug.log file for entries with timestamps that do not align with user activity or legitimate errors. Look for repeated entries from the same `pageUrl` or `script` values that seem fabricated or unusual. Monitor access logs for POST requests to `/wp-admin/admin-ajax.php?action=log_js_errors` with a `nonce` parameter from unauthenticated clients (IP addresses not in your admin whitelist). Use a SIEM or log aggregation tool to baseline normal error rates and alert on sudden spikes. Consider adding a WAF rule to block or rate-limit AJAX log submissions from non-admin users.

Why prioritize this

Although the CVSS score is MEDIUM (5.3), the vulnerability directly undermines log integrity—a critical detective control. For organizations heavily dependent on debug logs for incident response, this warrants urgent attention because it enables attackers to corrupt evidence and delay detection. Prioritize patching or disabling the feature within your current release cycle. This is especially critical if your site handles sensitive transactions or operates in a compliance-heavy environment (PCI-DSS, HIPAA, SOC 2) where log integrity is mandated.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-accessible vulnerability with low attack complexity and no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N). However, the scope is unchanged and there is no confidentiality impact—only integrity impact (log spoofing). The score appropriately lands in the MEDIUM range. The true organizational risk is higher if your team relies on debug logs as a primary detection mechanism; consider this when mapping to your internal risk model.

Frequently asked questions

Do I need to update immediately if I have the plugin but error logging disabled?

No. The vulnerability only manifests when JavaScript error logging is active, which is the condition under which the nonce is published in page HTML. If the feature is disabled, the nonce is not present and the endpoint cannot be exploited. However, you should still plan to patch or remove the plugin to avoid future misconfiguration.

Can an attacker use this to execute code or read sensitive data?

No. This vulnerability allows only injection of fake log entries. It does not grant code execution, file access, or data exfiltration. The damage is limited to log integrity—the attacker can obscure real events and potentially misdirect incident response, but cannot directly compromise the website's confidentiality or availability.

How can I detect if my logs have already been tampered with?

Review your debug.log for entries that lack corresponding PHP errors, or that appear in clusters outside your normal operational hours. Check for log entries with suspicious or test-like messages, unusual file paths, or repeated failures from the same page. Cross-reference with web server access logs to confirm whether the error-triggering requests actually occurred. A forensic diff against a known-good baseline log (if you maintain one) is most reliable.

Is there a temporary mitigation if I cannot patch immediately?

Yes. Disable the Debug Log Manager's JavaScript error logging feature in the plugin settings (or deactivate the plugin entirely) until a patch is available. You can also restrict access to the debug.log file via filesystem permissions (readable only by the web server and administrators) to reduce the window for exploitation. Additionally, enable WordPress security headers and consider a WAF rule to limit AJAX requests from untrusted sources.

This analysis is based on the published CVE record and vendor advisory as of the modification date (2026-06-17). Security landscapes evolve; verify patch availability, version numbers, and mitigation steps against the official plugin vendor's advisory and your own environment. SEC.co makes no warranty regarding the completeness or real-time accuracy of this intelligence. Always test patches in a non-production environment before deployment. If you have evidence of active exploitation, contact your incident response team or a qualified security professional immediately. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).