CVE-2025-5760

Name of the Vulnerable Software and Affected Versions The Simple History plugin for WordPress versions prior to 5.8.1

Description The issue concerns sensitive data exposure due to improper sanitization within the append debug info to context() function when Detective Mode is enabled. This allows the plugin's logger to capture the entire contents of $ POST, and sometimes raw request bodies or $ GET, without redacting any password-related keys. As a result, user passwords are written in clear text into the logs whenever a login form is submitted. This affects both authenticated attackers and users whose actions generate a login event, allowing administrators or those with database read access to retrieve the captured passwords.

Recommendations For versions prior to 5.8.1, update to version 5.8.1 or later to resolve the issue. As a temporary workaround, consider disabling Detective Mode until a patch is available. Restrict access to the logs to minimize the risk of password exposure.