Debug-Bar-Extender CVE-2025-26555
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Debug-Bar-Extender allows Reflected XSS. This issue affects Debug-Bar-Extender: from n/a through 0.5.
AnalysisAI
Reflected cross-site scripting in Debug-Bar-Extender WordPress plugin versions through 0.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. This requires user interaction (victim must click a malicious link) but no authentication. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept code at time of analysis. The vulnerability affects a WordPress debugging tool typically used in development environments, reducing real-world exposure.
Technical ContextAI
Debug-Bar-Extender is a WordPress plugin that extends the Debug Bar plugin with additional debugging panels. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input is reflected in HTML output without proper sanitization or encoding. This allows attackers to inject malicious JavaScript that executes in the context of the WordPress site when victims view attacker-controlled input. The changed scope (S:C) in the CVSS vector indicates the vulnerable component can impact resources beyond its security scope, typical of XSS where attacker code runs with victim's session privileges. WordPress plugins handle GET/POST parameters and URL paths that may be reflected in administrative interfaces or debug output screens without adequate input validation.
Affected ProductsAI
WordPress Debug-Bar-Extender plugin versions from earliest available through 0.5 are confirmed vulnerable per Patchstack advisory. The plugin extends the WordPress Debug Bar functionality and is typically installed on development or staging WordPress installations. No CPE data was provided in available sources. The vendor advisory at Patchstack (https://patchstack.com/database/wordpress/plugin/debug-bar-extender/vulnerability/wordpress-debug-bar-extender-plugin-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) provides the authoritative affected version range.
RemediationAI
Upgrade Debug-Bar-Extender to a patched version newer than 0.5 when available (patch version not independently confirmed at time of analysis - consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/debug-bar-extender/ for latest release). If no patch is available, implement these compensating controls: Disable Debug-Bar-Extender entirely on production sites (recommended practice for debugging tools), restrict plugin access to trusted administrator IP addresses via .htaccess or firewall rules (reduces attack surface but doesn't prevent exploitation from compromised admin accounts), implement Content Security Policy headers to block inline JavaScript execution (may break legitimate plugin functionality and requires testing), or uninstall the plugin if not actively needed (eliminates risk but removes debugging capability). Note that debugging plugins should never be active in production environments regardless of patch status.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today