Vulnerability Description
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/ssp-debugging/tags/1.0.0/ssp-debug.ph
- https://plugins.trac.wordpress.org/browser/ssp-debugging/trunk/ssp-debug.php#L22
- https://www.wordfence.com/threat-intel/vulnerabilities/id/66f29499-1522-43cd-af7
FAQ
What is CVE-2025-13494?
CVE-2025-13494 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-a...
How severe is CVE-2025-13494?
CVE-2025-13494 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-13494?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.