CVE-2025-3809: Debug Log Manager <= 2.3.4 - Unauthenticated Stored Cross-Site Scripting

7.2 CVSS

Description

The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Classification

CVE ID: CVE-2025-3809

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: qriouslad

Product: Debug Log Manager

References

https://nvd.nist.gov/vuln/detail/CVE-2025-3809
https://www.wordfence.com/threat-intel/vulnerabilities/id/cbc3210d-224e-4ed2-ada7-dc17deb17584?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3267252%40debug-log-manager&new=3267252%40debug-log-manager&sfp_email=&sfph_mail=

Timeline

2025-04-19 06:40:17 UTC
CVE

Debug Log Manager <= 2.3.4 - Unauthenticated Stored Cross-Site Scripting