CVE-2025-5760
Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
Reserved 2025-06-05 | Published 2025-06-06 | Updated 2025-06-06 | Assigner WordfenceCWE-256 Plaintext Storage of a Password
| 2025-06-05: | Disclosed |
Blair Crawford
www.wordfence.com/...-da02-4236-b635-d8fbd27faa33?source=cve
simple-history.com/support/detective-mode/
wordpress.org/plugins/simple-history/
github.com/bonny/WordPress-Simple-History/issues/546
github.com/...ommit/68eab0cab6882eafef4bfece884093eeda5ac018
wordpress.org/...ity-passwords-stored-as-plain-text-in-logs/
plugins.trac.wordpress.org/changeset/3267487/
Support options
