CVE-2025-5760: CWE-256 Plaintext Storage of a Password in eskapism Simple History – Track, Log, and Audit WordPress Changes
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
AI Analysis
Technical Summary
CVE-2025-5760 is a vulnerability in the Simple History – Track, Log, and Audit WordPress Changes plugin caused by improper sanitization of logged data in Detective Mode. The append_debug_info_to_context() function records the full contents of $_POST and sometimes raw request bodies or $_GET without redacting password-related keys. As a result, user passwords submitted during login events are stored in plaintext within the plugin's logs. This exposure affects all versions prior to 5.8.1. The vulnerability requires authenticated access to trigger login events and read the logs. The CVSS 3.1 score is 4.9 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact.
Potential Impact
Passwords submitted during login are stored in plaintext in plugin logs accessible to administrators or anyone with database read access. This compromises user credential confidentiality but does not affect integrity or availability. An attacker with sufficient privileges can retrieve these passwords, potentially leading to further account compromise.
Mitigation Recommendations
No official patch or fix is currently documented in the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable Detective Mode to prevent logging of sensitive data. Restrict database access to trusted administrators only to limit exposure. Monitor vendor channels for updates and apply any official patches promptly once released.
CVE-2025-5760: CWE-256 Plaintext Storage of a Password in eskapism Simple History – Track, Log, and Audit WordPress Changes
Description
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-5760 is a vulnerability in the Simple History – Track, Log, and Audit WordPress Changes plugin caused by improper sanitization of logged data in Detective Mode. The append_debug_info_to_context() function records the full contents of $_POST and sometimes raw request bodies or $_GET without redacting password-related keys. As a result, user passwords submitted during login events are stored in plaintext within the plugin's logs. This exposure affects all versions prior to 5.8.1. The vulnerability requires authenticated access to trigger login events and read the logs. The CVSS 3.1 score is 4.9 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact.
Potential Impact
Passwords submitted during login are stored in plaintext in plugin logs accessible to administrators or anyone with database read access. This compromises user credential confidentiality but does not affect integrity or availability. An attacker with sufficient privileges can retrieve these passwords, potentially leading to further account compromise.
Mitigation Recommendations
No official patch or fix is currently documented in the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable Detective Mode to prevent logging of sensitive data. Restrict database access to trusted administrators only to limit exposure. Monitor vendor channels for updates and apply any official patches promptly once released.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-05T21:55:51.664Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6842df031a426642debc93b5
Added to database: 6/6/2025, 12:28:51 PM
Last enriched: 4/9/2026, 10:32:15 AM
Last updated: 5/8/2026, 11:42:31 AM
Views: 292
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.