CVE-2026-9016
Deferred Deferred - Pending Action
Improper Output Neutralization in Debug Log Manager WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields β€” enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-9016
EUVD
EUVD-2026-34960
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
debug_log_manager debug_log_manager to 2.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-117 The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Debug Log Manager plugin for WordPress has a vulnerability called Improper Output Neutralization for Logs in all versions up to 2.5.0. This happens because the AJAX handler log_js_errors() is accessible to unauthenticated users and is only protected by a nonce that is publicly available on every front-end page when JavaScript error logging is enabled. As a result, attackers can inject fake entries into the WordPress debug log by controlling fields like message, script, lineNo, columnNo, and pageUrl.

This allows attackers to spoof error and incident records, hide malicious activity within fake log entries, and mislead administrators who use the log for troubleshooting.

Impact Analysis

This vulnerability can impact you by allowing unauthenticated attackers to insert forged log entries into your WordPress debug logs. This can lead to misleading or false error and incident records.

Such spoofed logs can obscure real malicious activity, making it harder for administrators to detect and respond to security incidents effectively.

Detection Guidance

This vulnerability can be detected by checking if the Debug Log Manager plugin for WordPress is installed and running a version up to and including 2.5.0 with the JavaScript error logging feature enabled.

Since the vulnerability involves unauthenticated AJAX requests to the log_js_errors() handler, you can monitor your web server logs or network traffic for suspicious POST requests to the endpoint handling wp_ajax_nopriv_log_js_errors.

Look for requests containing parameters like message, script, lineNo, columnNo, and pageUrl that might be used to inject forged log entries.

Commands to assist detection might include using tools like curl or wget to test the AJAX endpoint, or grep to search web server logs for suspicious requests.

  • grep 'wp_ajax_nopriv_log_js_errors' /var/log/apache2/access.log
  • curl -X POST -d 'action=log_js_errors&message=test&script=test.js&lineNo=1&columnNo=1&pageUrl=http://example.com' https://yourwordpresssite.com/wp-admin/admin-ajax.php
Mitigation Strategies

Immediate mitigation steps include disabling the JavaScript error logging feature in the Debug Log Manager plugin, as the vulnerability is only exploitable when this feature is enabled.

Alternatively, update the Debug Log Manager plugin to a version later than 2.5.0 if available, where this vulnerability is fixed.

If updating is not immediately possible, restrict access to the AJAX handler by implementing additional authorization checks or firewall rules to block unauthenticated requests to wp_ajax_nopriv_log_js_errors.

Compliance Impact

This vulnerability allows unauthenticated attackers to inject forged entries into the WordPress debug log, potentially obscuring malicious activity and misleading administrators who rely on the log for incident triage.

Such manipulation of logs can undermine the integrity and reliability of audit trails, which are critical for compliance with standards and regulations like GDPR and HIPAA that require accurate logging and monitoring of security events.

However, the provided information does not explicitly discuss the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart