CVE-2026-5130
Unauthenticated Privilege Escalation in WordPress Debugger Plugin
Publication date: 2026-03-30
Last updated on: 2026-03-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | debugger_and_troubleshooter | to 1.3.2 (inc) |
| wordfence | debugger_and_troubleshooter | 1.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-565 | The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to gain administrator-level access to a WordPress site running the affected plugin versions.
- Attackers can create new administrator accounts.
- They can modify site content arbitrarily.
- They can install malicious plugins.
- They can take complete control of the WordPress site.
Can you explain this vulnerability to me?
The Debugger & Troubleshooter plugin for WordPress had a vulnerability in versions up to and including 1.3.2 that allowed unauthenticated privilege escalation. This happened because the plugin accepted the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks.
By setting this cookie to a target user ID, an attacker could impersonate any user, including administrators, without needing to log in. This allowed the attacker to gain administrator-level access and perform privileged actions such as creating new administrator accounts, modifying site content, installing plugins, or taking full control of the WordPress site.
The issue was fixed in version 1.4.0 by implementing a cryptographic token-based validation system that restricts user simulation to administrators and validates the cookie against database-stored tokens.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately update the Debugger & Troubleshooter plugin for WordPress to version 1.4.0 or later.
This update fixes the vulnerability by implementing a cryptographic token-based validation system that restricts user simulation to administrators only and validates the cookie token against database-stored mappings.
Until the update is applied, consider disabling the plugin to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to gain administrator-level access to a WordPress site, enabling them to perform privileged actions such as creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the site.
Such unauthorized access and control could lead to exposure or alteration of sensitive personal data, which may result in non-compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal information.
Therefore, exploitation of this vulnerability could compromise compliance with these common standards and regulations by violating requirements for data confidentiality, integrity, and access control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Debugger & Troubleshooter plugin for WordPress is installed and running a version up to and including 1.3.2. Since the vulnerability involves the wp_debug_troubleshoot_simulate_user cookie being accepted without validation, monitoring HTTP requests for this cookie being set with arbitrary user ID values can indicate exploitation attempts.
To detect potential exploitation on your system, you can inspect HTTP request headers for the presence of the wp_debug_troubleshoot_simulate_user cookie with suspicious values.
Example commands to detect this on a web server log or live traffic include:
- Using grep on access logs to find requests containing the cookie: grep 'wp_debug_troubleshoot_simulate_user' /path/to/access.log
- Using tcpdump or tshark to capture HTTP traffic and filter for the cookie: tshark -Y 'http.cookie contains "wp_debug_troubleshoot_simulate_user"' -i eth0
- Using curl to test if the site accepts arbitrary user IDs via the cookie: curl -v --cookie "wp_debug_troubleshoot_simulate_user=1" https://targetsite.com
Additionally, verifying the plugin version installed on the WordPress site and updating to version 1.4.0 or later will mitigate this vulnerability.