Vulnerabilities > CVE-2025-5486

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

CWE-862

critical

NVD

Published: 2025-06-06

Updated: 2025-06-06

Summary

The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to enable debugging and send all emails to an attacker controlled address and then trigger a password reset for an administrator to gain access to an administrator account.

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://plugins.trac.wordpress.org/browser/wp-email-debug/trunk/hooks.php#L71
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=cve

Vulnerabilities > CVE-2025-5486 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2025-5486"}]}

Summary

Common Weakness Enumeration (CWE)

References

Vulnerabilities > CVE-2025-5486