CVE-2024-32582

Vulnerability

The Debug Log Manager plugin for WordPress (versions through 2.3.1) fails to properly neutralize input during web page generation, leading to a stored cross-site scripting (XSS) vulnerability. The plugin allows administrators to view and manage debug logs, but insufficient sanitization of log entries or other input fields enables injection of malicious scripts that are stored and later executed in the context of the admin dashboard. Affected versions: all versions from n/a through 2.3.1. [1]

Exploitation

An attacker with the ability to influence log content (e.g., by triggering a PHP error with a crafted payload) can inject arbitrary JavaScript. The injected script is stored in the debug log and executed when an administrator views the log entries in the WordPress admin area. No special network position is required beyond being able to cause a log entry; however, the attacker must have some means to write to the debug log, such as through a plugin or theme vulnerability that generates a log entry with attacker-controlled data. The attack does not require authentication if the log can be populated via unauthenticated actions, but the XSS payload will only execute in the context of an authenticated admin session.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an administrator viewing the debug log. This can lead to session hijacking, defacement, or theft of sensitive information such as admin credentials or nonces. The impact is limited to the admin dashboard context, but could be leveraged for privilege escalation or further compromise of the WordPress site.

Mitigation

The vendor has released version 2.5.0 which likely addresses this vulnerability; users should update to the latest version immediately. No workarounds are documented. The plugin is actively maintained, and the fix is available via the WordPress plugin repository. [1]