CVE-2026-9016
Description
The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the log_js_errors() AJAX handler being registered for unauthenticated users via wp_ajax_nopriv_log_js_errors and gated only by a nonce that is publicly disclosed in every front-end page's HTML through wp_localize_script() whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the message, script, lineNo, columnNo, and pageUrl fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.
Affected products
2<=2.5.0+ 1 more
- (no CPE)range: <=2.5.0
- (no CPE)range: <=2.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `log_js_errors()` AJAX handler is accessible to unauthenticated users and is only protected by a nonce that is publicly disclosed."
Attack vector
An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the `log_js_errors()` AJAX handler. This handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and is protected by a nonce that is publicly exposed in the HTML of any front-end page when JavaScript error logging is enabled. The attacker can supply arbitrary values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields to inject forged entries into the site's debug log. This attack is only possible if the plugin's JavaScript error logging feature is enabled [ref_id=1].
Affected code
The vulnerability lies within the `log_js_errors()` method, which is registered as an AJAX handler for unauthenticated users. This method is accessible via the `wp_ajax_nopriv_log_js_errors` hook. The lack of proper authorization checks before nonce verification allows unauthenticated users to inject malicious data into the debug logs [ref_id=1].
What the fix does
The patch addresses the vulnerability by ensuring that the `log_js_errors()` AJAX action is properly checked for user authentication. Specifically, it adds a check to verify if the current user has the 'manage_options' capability before proceeding with the nonce verification and log entry creation. This prevents unauthenticated users from accessing and exploiting the AJAX handler, thereby mitigating the risk of arbitrary log injection.
Preconditions
- configThe plugin's JavaScript error logging feature must be enabled.
- authThe attacker must be unauthenticated.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.phpnvd
- plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.phpnvd
- plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.phpnvd
- plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/25abca87-1be2-427e-ab01-377d52917052nvd
News mentions
0No linked articles in our index yet.