PT-2025-24035 · WordPress · Wp Email Debug
Kenneth Dunn
·
Published
2025-06-06
·
Updated
2025-06-11
·
CVE-2025-5486
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WP Email Debug plugin for WordPress versions 1.0 to 1.1.0
Description
The issue is related to a missing capability check on the
WPMDBUG handle settings() function. This allows unauthenticated attackers to enable debugging, send all emails to an attacker-controlled address, and then trigger a password reset for an administrator to gain access to an administrator account.Recommendations
For WP Email Debug plugin for WordPress versions 1.0 to 1.1.0, consider disabling the
WPMDBUG handle settings() function until a patch is available to prevent exploitation. Restrict access to the debugging settings to minimize the risk of unauthorized access.Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Email Debug