Debug Log Manager < 2.3.0 - Sensitive Logs Exposure

Vulnerability

The Debug Log Manager WordPress plugin versions prior to 2.3.0 contain a directory listing vulnerability [1]. This vulnerability allows unauthenticated users to enumerate and download the plugin's debug log file without any authorization checks [1]. The vulnerability resides in the plugin's log management functionality where directory listing is enabled, exposing the log directory contents [1].

Exploitation

An attacker can exploit this vulnerability by simply accessing the plugin's debug log directory URL without needing any authentication or prior knowledge [1]. The attacker can then download the debug log file, which contains sensitive information recorded during debugging [1]. No user interaction or special privileges are required [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive data contained in the debug logs [1]. This can include system information, error messages, and potentially credentials or other confidential data that was logged during debugging [1]. The impact is limited to information disclosure (confidentiality breach) without affecting system integrity or availability [1].

Mitigation

The vulnerability has been fixed in version 2.3.0 of the Debug Log Manager plugin [1]. Users should immediately update to version 2.3.0 or later [1]. No workarounds have been disclosed for older versions [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].