vulnerability

WordPress Plugin: wp-email-debug: CVE-2025-5486: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jun 5, 2025	Jun 30, 2025	Jun 30, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jun 5, 2025

Added

Jun 30, 2025

Modified

Jun 30, 2025

Description

The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to enable debugging and send all emails to an attacker controlled address and then trigger a password reset for an administrator to gain access to an administrator account.

Solution

wp-email-debug-plugin-cve-2025-5486

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-5486
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=api-prod
CVE-2025-5486
https://attackerkb.com/topics/CVE-2025-5486
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today