CVE-2025-67561

The Debug Log Viewer plugin for WordPress suffers from a missing authorization vulnerability (broken access control). The plugin fails to properly verify permissions before exposing debug logs, allowing unauthorized access. This issue affects versions up to and including 2.0.3 [1].

An unauthenticated attacker can exploit this flaw by directly requesting the debug log functionality, bypassing access controls. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites, regardless of size or traffic [1]. No special privileges or network position are required beyond network access to the WordPress site.

Successful exploitation exposes sensitive debug log information, which may include error messages, file paths, database queries, and potentially credentials. This information can aid attackers in further compromising the site. The CVSS score of 5.4 indicates medium severity, but the ease of exploitation elevates the risk in practice [1].

The vendor has released version 2.0.4 to address this issue. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult a hosting provider or web developer for assistance [1].