CVE-2025-13494 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the SSP Debug plugin for WordPress developed by jimmyredline80. The issue arises because the plugin writes PHP error logs to a fixed, publicly accessible path (wp-content/uploads/ssp-debug/ssp-debug.log) without implementing any form of access control or authentication. As a result, any unauthenticated user can directly access this log file via a web browser. The logs contain sensitive debugging information such as full URLs accessed, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. This information can provide attackers with valuable insights into the internal workings of the WordPress site, potentially facilitating further targeted attacks or exploitation of other vulnerabilities. The vulnerability affects all plugin versions up to and including 1.0.0. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges required, no user interaction, and an impact limited to confidentiality loss. No integrity or availability impacts are noted. No patches or mitigations have been officially released at the time of publication, and no known exploits have been reported in the wild. The vulnerability was reserved on November 20, 2025, and published on December 5, 2025.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information that can aid attackers in reconnaissance and subsequent attacks. Exposure of full URLs and internal filesystem paths can reveal the website’s structure and potentially sensitive endpoints. Client IP addresses and User-Agent strings can help attackers profile users or identify administrative users. Disclosure of WordPress user IDs may assist in brute force or social engineering attacks. Although this vulnerability does not directly compromise data integrity or availability, the leaked information can be leveraged to mount more severe attacks such as privilege escalation, code injection, or targeted phishing campaigns. Organizations using the SSP Debug plugin are at risk of indirect compromise due to this information leakage. The impact is especially significant for high-profile or sensitive websites where internal paths and user data exposure can lead to reputational damage and increased attack surface. Since no authentication or user interaction is required, exploitation is straightforward, increasing the likelihood of opportunistic scanning and data harvesting by attackers.

To mitigate this vulnerability, organizations should immediately restrict access to the ssp-debug.log file and the entire ssp-debug directory by implementing proper access controls. This can be achieved by configuring web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny public access to the log directory or require authentication. Alternatively, disabling or uninstalling the SSP Debug plugin if it is not essential is recommended. If debugging is necessary, logs should be stored outside the web root or in locations protected by authentication. Monitoring web server logs for unauthorized access attempts to the ssp-debug.log file can help detect exploitation attempts. Organizations should also keep their WordPress plugins updated and watch for official patches or updates from the vendor addressing this issue. Employing a web application firewall (WAF) with rules to block access to known debug log paths can provide an additional layer of defense. Finally, conducting regular security audits to identify exposed sensitive files is advised.