Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.
AnalysisAI
Unauthenticated privilege escalation in Debugger & Troubleshooter WordPress plugin (versions ≤1.3.2) allows remote attackers to gain administrator access by manipulating a cookie value. Attackers can set the wp_debug_troubleshoot_simulate_user cookie to any user ID without cryptographic validation, bypassing all authentication and authorization checks to immediately impersonate administrators. No public exploit code confirmed at time of analysis, though the attack mechanism is straightforward requiring only cookie manipulation. CVSS 8.8 with network-based attack vector and low complexity indicates significant real-world risk for unpatched installations. Vendor-released patch in version 1.4.0 implements cryptographic token validation.
Technical ContextAI
This vulnerability stems from insecure direct object reference (CWE-565) in the plugin's user simulation feature. The plugin hooks into WordPress's determine_current_user filter and accepts the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any validation. The vulnerable code path (lines 827-849 in version 1.3.2) reads the cookie and immediately uses its numeric value to override the current user context. WordPress's determine_current_user filter is a critical authentication mechanism that runs early in the request lifecycle to establish user identity. By accepting arbitrary cookie values without cryptographic signing, HMAC validation, or capability checks, the plugin creates a direct authentication bypass. The affected product (CPE: cpe:2.3:a:jhimross:debugger_&_troubleshooter) is a debugging tool intended for development environments but often inadvertently left active on production sites. The fix in version 1.4.0 implements a proper token-based system where administrators generate 64-character random tokens stored in the database, ensuring only legitimate simulation sessions initiated by privileged users can override authentication.
RemediationAI
Immediately upgrade to Debugger & Troubleshooter version 1.4.0 or later, which implements cryptographic token-based validation for user simulation functionality. The patch is available through the WordPress plugin repository, with the security fix documented in changeset 3486202 viewable at https://plugins.trac.wordpress.org/changeset/3486202/debugger-troubleshooter/trunk/debug-troubleshooter.php. If immediate patching is not possible, disable and remove the plugin entirely until upgrade can be completed, as this is a debugging tool typically not required in production environments. After upgrading, review administrator user accounts and recent administrative actions for unauthorized changes, as attackers exploiting this vulnerability could have created persistent backdoor accounts. Check WordPress user lists for unfamiliar administrator accounts, review recently installed plugins and themes, and examine recent content modifications. Organizations should audit whether this debugging plugin is necessary in production and consider restricting such tools to development environments only.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17245
GHSA-24w3-v7fc-cjwv