Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation
Description
The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.3.2What Changed in the Fix
Changes introduced in v1.4.0
Source Code
WordPress.org SVNThis research plan outlines the steps to exploit **CVE-2026-5130**, a critical unauthenticated privilege escalation vulnerability in the **Debugger & Troubleshooter** plugin (<= 1.3.2). ## 1. Vulnerability Summary The "Debugger & Troubleshooter" plugin includes a "User Role Simulator" feature inten…
Show full research plan
This research plan outlines the steps to exploit CVE-2026-5130, a critical unauthenticated privilege escalation vulnerability in the Debugger & Troubleshooter plugin (<= 1.3.2).
1. Vulnerability Summary
The "Debugger & Troubleshooter" plugin includes a "User Role Simulator" feature intended to allow administrators to view the site as different users for testing purposes. The vulnerability stems from a lack of authorization and integrity checks when processing the simulation state. The plugin reads a user ID directly from the wp_debug_troubleshoot_simulate_user cookie and uses it to override the current WordPress user via the determine_current_user filter.
Because the cookie is not cryptographically signed, validated against a server-side session, or restricted to already-authenticated administrators, an unauthenticated attacker can simply provide this cookie with the ID of an administrator (typically 1) to gain full administrative access to the site.
2. Attack Vector Analysis
- Endpoint: Any WordPress URL (frontend or backend). The vulnerability is triggered during the WordPress bootstrap process.
- Vulnerable Parameter: The HTTP Cookie header.
- Cookie Name:
wp_debug_troubleshoot_simulate_user(defined by the constantSIMULATE_USER_COOKIE). - Authentication: Unauthenticated. No valid session or login is required.
- Preconditions: The plugin must be active.
3. Code Flow
- Entry Point: In
debug-troubleshooter.php, theDebug_Troubleshooterclass constructor registers theinit_user_simulationmethod on theplugins_loadedhook at priority0.add_action('plugins_loaded', array($this, 'init_user_simulation'), 0); - Cookie Processing: Inside
init_user_simulation()(inferred from the patch description and constants), the code checks for the existence of thewp_debug_troubleshoot_simulate_usercookie. - Filter Registration: If the cookie is present, the plugin registers a filter on
determine_current_user.add_filter('determine_current_user', array($this, 'filter_determine_current_user')); - Sink (Identity Theft): The callback
filter_determine_current_user(inferred) retrieves the value from the cookie and returns it as the current user ID.public function filter_determine_current_user($user_id) { if (isset($_COOKIE['wp_debug_troubleshoot_simulate_user'])) { return (int) $_COOKIE['wp_debug_troubleshoot_simulate_user']; } return $user_id; } - Execution Context: Because
plugins_loadedpriority0runs extremely early, this filter is in place before WordPress core attempts to authenticate the user, effectively bypassing the entire authentication system.
4. Nonce Acquisition Strategy
No nonce is required.
The vulnerability resides in the way the plugin handles every incoming request based on cookies. It does not require interacting with the AJAX handlers (wp_ajax_debug_troubleshoot_toggle_simulate_user) which do implement nonce checks. By manually setting the cookie, the attacker bypasses the "official" UI toggle and its associated security checks.
5. Exploitation Strategy
The goal is to access the WordPress Admin Dashboard as the primary administrator.
- Step 1: Identify Target User ID: In standard WordPress installations, the first administrator created has ID
1. - Step 2: Forge Request: Use the
http_requesttool to send a GET request to/wp-admin/with the malicious cookie. - Step 3: Verification of Escalation: Check the response body for indicators of administrative access (e.g., the presence of the "Plugins" menu or the string "Dashboard").
Specific Payload
- Method:
GET - URL:
/wp-admin/ - Headers:
Cookie: wp_debug_troubleshoot_simulate_user=1
6. Test Data Setup
- Target User: Ensure a user with ID
1exists and is an administrator (default behavior). - Plugin Activation: The Debugger & Troubleshooter plugin (version 1.3.2) must be installed and activated.
- Environment: No specific settings are required within the plugin, as the vulnerable code runs automatically on every page load if the cookie is detected.
7. Expected Results
- Response Code:
200 OK(instead of a redirect towp-login.php). - Response Content: The HTML source of the WordPress Dashboard.
- Administrative Capabilities: Elements like
<li id="menu-plugins">or<div id="wpadminbar">will be present in the response, confirming that the site perceives the unauthenticated requester as the user with ID1.
8. Verification Steps
After the http_request, confirm the vulnerability using the execution agent:
- Check for Admin Elements:
// Run via browser_eval on the /wp-admin/ page !!document.querySelector('#menu-settings') && !!document.querySelector('#menu-plugins') - Verify Identity via WP-CLI:
Since the exploit is session-based via cookie, use the cookie in anhttp_requestto an AJAX action that returns user info, or verify that the admin dashboard loads successfully.
9. Alternative Approaches
If ID 1 is not the administrator:
- Enumerate User IDs: Iterate through common IDs (1, 2, 3, etc.) in the cookie until the
/wp-admin/request returns a200 OKcontaining admin strings. - Examine Public Data: Visit
/wp-json/wp/v2/usersto identify available user IDs and their roles (if the REST API is public). - Bypass Login Page: If
/wp-admin/redirects to/wp-admin/index.php, ensure the cookie is passed to the redirected URL as well.
Summary
The Debugger & Troubleshooter plugin is vulnerable to unauthenticated privilege escalation because it trusts the 'wp_debug_troubleshoot_simulate_user' cookie as a source of truth for the current user's identity. By setting this cookie to a target administrator's ID, an attacker can bypass standard authentication and gain full control over the WordPress site via the 'determine_current_user' filter.
Vulnerable Code
// debug-troubleshooter.php around line 797 public function init_user_simulation() { if (isset($_COOKIE[self::SIMULATE_USER_COOKIE])) { $this->simulated_user_id = (int) $_COOKIE[self::SIMULATE_USER_COOKIE]; // Hook into determine_current_user to override the user ID. // Priority 20 ensures we run after most standard authentication checks. add_filter('determine_current_user', array($this, 'simulate_user_filter'), 20); } } // The callback (inferred) returns the simulated ID directly public function simulate_user_filter($user_id) { if ($this->simulated_user_id) { return $this->simulated_user_id; } return $user_id; }
Security Fix
@@ -797,11 +827,16 @@ public function init_user_simulation() { if (isset($_COOKIE[self::SIMULATE_USER_COOKIE])) { - $this->simulated_user_id = (int) $_COOKIE[self::SIMULATE_USER_COOKIE]; - - // Hook into determine_current_user to override the user ID. - // Priority 20 ensures we run after most standard authentication checks. - add_filter('determine_current_user', array($this, 'simulate_user_filter'), 20); + $token = sanitize_text_field(wp_unslash($_COOKIE[self::SIMULATE_USER_COOKIE])); + $sim_users = get_option('dbgtbl_sim_users', array()); + + if (isset($sim_users[$token])) { + $this->simulated_user_id = (int) $sim_users[$token]; + + // Hook into determine_current_user to override the user ID. + // Priority 20 ensures we run after most standard authentication checks. + add_filter('determine_current_user', array($this, 'simulate_user_filter'), 20); + } } }
Exploit Outline
The exploit is unauthenticated and requires no specific site state other than the plugin being active. 1. Target Identification: The attacker identifies the User ID of an administrator (typically ID 1 on default WordPress installations). 2. Request Forgery: The attacker crafts an HTTP request (GET or POST) to any endpoint on the target site (e.g., /wp-admin/). 3. Payload: The attacker includes an HTTP Cookie header: 'wp_debug_troubleshoot_simulate_user=1'. 4. Access: Because the plugin runs 'init_user_simulation' on 'plugins_loaded' at priority 0, it overrides the identity of the requester to the specified User ID before the core WordPress authentication logic finishes. The attacker is immediately treated as a logged-in administrator for the duration of the request.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.