Sensitive Data Exposure in Simple History Plugin for WordPress
CVE-2025-5760

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Simple History – Track, Log, And Audit WordPress Changes
Vendor: CVE Published:; 6 June 2025

What is CVE-2025-5760?

The Simple History plugin for WordPress exposes sensitive user data due to inadequate sanitization in the append_debug_info_to_context() function. When Detective Mode is activated, it logs entire contents of user submissions, including passwords, without redaction. This flaw allows authenticated attackers or users generating login events to have their plaintext passwords stored in logs, which can be accessed by those with database read permissions.

Affected Version(s)

Simple History – Track, Log, and Audit WordPress Changes 0 <= 5.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://simple-history.com/support/detective-mode/

https://wordpress.org/plugins/simple-history/#developers

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2025
Vulnerability Reserved
Jun 5, 2025

Credit

Blair Crawford

CVE-2025-5760 Data

JSON