Skip to main content

WordPress CVE-2026-5130

| EUVDEUVD-2026-17245 HIGH
Reliance on Cookies without Validation and Integrity Checking (CWE-565)
2026-03-30 Wordfence GHSA-24w3-v7fc-cjwv
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 30, 2026 - 23:00 euvd
EUVD-2026-17245
Analysis Generated
Mar 30, 2026 - 23:00 vuln.today
CVE Published
Mar 30, 2026 - 22:24 nvd
HIGH 8.8

DescriptionCVE.org

The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.

AnalysisAI

Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.

Technical ContextAI

This vulnerability stems from insecure direct object reference (CWE-565) in the plugin's user simulation feature. The plugin hooks into WordPress's determine_current_user filter and accepts the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any validation. The vulnerable code path (lines 827-849 in version 1.3.2) reads the cookie and immediately uses its numeric value to override the current user context. WordPress's determine_current_user filter is a critical authentication mechanism that runs early in the request lifecycle to establish user identity. By accepting arbitrary cookie values without cryptographic signing, HMAC validation, or capability checks, the plugin creates a direct authentication bypass. The affected product (CPE: cpe:2.3:a:jhimross:debugger_&_troubleshooter) is a debugging tool intended for development environments but often inadvertently left active on production sites. The fix in version 1.4.0 implements a proper token-based system where administrators generate 64-character random tokens stored in the database, ensuring only legitimate simulation sessions initiated by privileged users can override authentication.

RemediationAI

Immediately upgrade to Debugger & Troubleshooter version 1.4.0 or later, which implements cryptographic token-based validation for user simulation functionality. The patch is available through the WordPress plugin repository, with the security fix documented in changeset 3486202 viewable at https://plugins.trac.wordpress.org/changeset/3486202/debugger-troubleshooter/trunk/debug-troubleshooter.php. If immediate patching is not possible, disable and remove the plugin entirely until upgrade can be completed, as this is a debugging tool typically not required in production environments. After upgrading, review administrator user accounts and recent administrative actions for unauthorized changes, as attackers exploiting this vulnerability could have created persistent backdoor accounts. Check WordPress user lists for unfamiliar administrator accounts, review recently installed plugins and themes, and examine recent content modifications. Organizations should audit whether this debugging plugin is necessary in production and consider restricting such tools to development environments only.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-5130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy