Blair Crawford

**Name of the Vulnerable Software and Affected Versions** The Simple History plugin for WordPress versions prior to 5.8.1 **Description** The issue concerns sensitive data exposure due to improper sanitization within the `append debug info to context()` function when Detective Mode is enabled. This allows the plugin's logger to capture the entire contents of `$ POST`, and sometimes raw request bodies or `$ GET`, without redacting any password-related keys. As a result, user passwords are written in clear text into the logs whenever a login form is submitted. This affects both authenticated attackers and users whose actions generate a login event, allowing administrators or those with database read access to retrieve the captured passwords. **Recommendations** For versions prior to 5.8.1, update to version 5.8.1 or later to resolve the issue. As a temporary workaround, consider disabling Detective Mode until a patch is available. Restrict access to the logs to minimize the risk of password exposure.