The Debug Log Manager plugin for WordPress suffers from improper output neutralization for logs (CWE-117) due to its `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`. The handler is protected only by a nonce that is publicly available on every front-end page when JavaScript error logging is enabled. This allows attackers to supply arbitrary values for fields such as `message`, `script`, `lineNo`, `columnNo`, and `pageUrl`, injecting forged log entries. This vulnerability enables spoofing of error and incident records, potentially obscuring real malicious activity within fabricated log noise. The vulnerability is exploitable only if the JavaScript error logging feature is enabled in the plugin.

An attacker can inject arbitrary, forged entries into the WordPress debug log without authentication, misleading administrators who rely on these logs for troubleshooting and security monitoring. This can obscure real malicious activity by creating noise or false indicators in the logs. There is no direct confidentiality or availability impact reported. The CVSS 3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to integrity of logs.

Patch status is not yet confirmed — no official fix or patch links are provided in the available data. Users should check the vendor advisory for current remediation guidance. Until a patch is available, administrators should consider disabling the JavaScript error logging feature in the plugin to prevent exposure of the nonce and block unauthenticated log injection. Monitoring for suspicious log entries and restricting access to debug logs may help reduce risk.