[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fay8dUtghJO88hvkarVMS27rJJ0-NurAwPW5UzFqRXS4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-9016","debug-log-manager-unauthenticated-improper-output-neutralization-for-logs-via-logjserrors-ajax-action","Debug Log Manager \u003C= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action","The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.","debug-log-manager",null,"\u003C=2.5.0","2.5.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Improper Output Neutralization for Logs","2026-06-05 00:00:00","2026-06-06 04:28:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F25abca87-1be2-427e-ab01-377d52917052?source=api-prod",1,[22,23,24,25,26],"README.md","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fpublic.js","classes\u002Fclass-debug-log.php","debug-log-manager.php","researched",false,3,"# Research Plan: CVE-2026-9016 - Unauthenticated Log Injection in Debug Log Manager\n\n## 1. Vulnerability Summary\nThe **Debug Log Manager** plugin (\u003C= 2.5.0) contains a vulnerability that allows unauthenticated attackers to inject arbitrary entries into the WordPress debug log. This occurs because the `log_js_errors()` AJAX handler is registered for unauthenticated users (`wp_ajax_nopriv_log_js_errors`) and relies on a security nonce that is leaked in the front-end HTML source code when the \"JavaScript Error Logging\" feature is enabled. An attacker can use this to spoof error reports, create log noise to hide malicious activity, or mislead administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `log_js_errors` (passed via the `action` URL parameter)\n- **Method**: `POST`\n- **Authentication**: None required (uses `wp_ajax_nopriv_`)\n- **Precondition**: The plugin's \"JavaScript Error Logging\" feature must be enabled.\n- **Vulnerable Parameter**: The entire JSON-encoded body of the POST request, specifically the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields.\n\n## 3. Code Flow\n1. **Hook Registration**: The plugin likely registers the AJAX actions in `classes\u002Fclass-ajax.php` (inferred from autoloader pattern and `assets\u002Fjs\u002Fpublic.js` functionality):\n   - `add_action('wp_ajax_log_js_errors', 'log_js_errors');`\n   - `add_action('wp_ajax_nopriv_log_js_errors', 'log_js_errors');`\n2. **Nonce Exposure**: In a class handling front-end assets (likely `classes\u002Fclass-public.php`), the plugin uses `wp_localize_script()` to pass the `dlmVars` object to `assets\u002Fjs\u002Fpublic.js`. This object includes `jsErrorLogging.nonce`.\n3. **Trigger**: When a JS error occurs or when an attacker manually invokes the request, `assets\u002Fjs\u002Fpublic.js` sends a POST request to `admin-ajax.php`.\n4. **Processing**: The `log_js_errors()` handler reads the input (likely via `php:\u002F\u002Finput` as it's sent as `application\u002Fjson`), verifies the nonce, and then formats a string containing the user-supplied fields.\n5. **Sink**: This formatted string is passed to `error_log()`, which writes it to the site's debug log file (the location of which is managed by the plugin in `classes\u002Fclass-debug-log.php`).\n\n## 4. Nonce Acquisition Strategy\nThe nonce is unique to the user session (for unauthenticated users, `uid=0`) and the `log_js_errors` action. It is exposed in the HTML of any front-end page when JS error logging is active.\n\n1.  **Check Status**: Use WP-CLI to ensure JS logging is enabled.\n    - `wp option get debug_log_manager_js_error_logging` (Guessing the option name; search for \"js_error\" in options if this fails).\n2.  **Access Page**: Navigate to the homepage or any public page.\n3.  **Extract Nonce**: Use the `browser_eval` tool to retrieve the nonce from the `dlmVars` global object.\n    - **JS Command**: `window.dlmVars?.jsErrorLogging?.nonce`\n\n## 5. Exploitation Strategy\n1.  **Setup**: Enable the plugin's debug logging and JavaScript error logging features.\n2.  **Target URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php?action=log_js_errors`\n3.  **Payload**: A JSON object containing the leaked nonce and malicious log content.\n4.  **Request Construction**:\n    - **Method**: `POST`\n    - **Content-Type**: `application\u002Fjson`\n    - **Body**: `{\"nonce\":\"[LEAKED_NONCE]\",\"message\":\"PHP Fatal error: Uncaught Error: Call to undefined function backdoored_function() in \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fakismet\u002Fakismet.php:123\",\"script\":\"https:\u002F\u002Fexample.com\u002Fmalicious.js\",\"lineNo\":666,\"columnNo\":13,\"pageUrl\":\"\u002Fwp-admin\u002F\",\"type\":\"front end\"}`\n5.  **Execution**: Use `http_request` to send the payload.\n\n## 6. Test Data Setup\n1.  **Plugin Activation**: Ensure `debug-log-manager` is active.\n2.  **Enable Features**:\n    - Use WP-CLI to enable the plugin's main logging: `wp eval \"update_option('debug_log_manager', ['status' => 'enabled', 'on' => date('Y-m-d H:i:s')]);\"`\n    - Enable JS error logging: `wp option update debug_log_manager_js_error_logging \"enabled\"` (Verify actual option name if necessary).\n3.  **Log Path**: Identify the custom log path: `wp option get debug_log_manager_file_path`.\n\n## 7. Expected Results\n- The AJAX request should return a `200 OK` or a success JSON response (e.g., `{\"success\":true}`).\n- The site's debug log file (found at the path retrieved in Step 6) will contain a new entry incorporating the strings provided in the `message`, `script`, and `pageUrl` fields.\n\n## 8. Verification Steps\n1.  **Check Log Content**: Read the last few lines of the debug log.\n    - `wp eval \"echo file_get_contents(get_option('debug_log_manager_file_path'));\" | tail -n 5`\n2.  **Confirm Injection**: Verify that the string `\"backdoored_function()\"` or the custom `message` value appears exactly as injected.\n\n## 9. Alternative Approaches\n- **URI Encoding**: If a raw JSON POST fails, try URI-encoding the body, as the JS in `assets\u002Fjs\u002Fpublic.js` uses `encodeURI(JSON.stringify(data))`.\n- **Parameter Variation**: Try sending the data via standard `application\u002Fx-www-form-urlencoded` if `application\u002Fjson` is not correctly handled by the server.\n- **XSS Check**: Since the plugin displays log entries in the admin dashboard (`classes\u002Fclass-debug-log.php`), check if injecting `\u003Cscript>alert(1)\u003C\u002Fscript>` into the `message` field leads to Stored XSS when viewing the \"Debug Log\" menu in `wp-admin`.","gemini-3-flash-preview","2026-06-26 04:21:08","2026-06-26 04:22:00",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","2.5.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdebug-log-manager\u002Ftags\u002F2.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdebug-log-manager.2.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdebug-log-manager\u002Ftags\u002F2.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdebug-log-manager.2.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdebug-log-manager\u002Ftags"]