Endang Alfarisi

**Name of the Vulnerable Software and Affected Versions** Debug Log Manager – Conveniently Monitor and Inspect Errors versions prior to 2.5.1 **Description** The plugin is subject to improper output neutralization for logs. The `log js errors()` AJAX handler is registered for unauthenticated users via `wp ajax nopriv log js errors` and is protected only by a nonce. This nonce is publicly disclosed in the HTML of every front-end page through `wp localize script()` when JavaScript error logging is enabled, failing to provide an effective authorization barrier. Unauthenticated attackers can inject forged entries into the WordPress debug log by controlling the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` variables. This allows for the spoofing of incident records and the obscuring of malicious activity. This issue is only exploitable if the JavaScript error logging feature is enabled. **Recommendations** Update to a version later than 2.5.0. As a temporary mitigation, disable the JavaScript error logging feature to prevent the nonce from being published in the page HTML.