CVE-2025-10050 MEDIUM

CVE-2025-10050: Developer Loggers for Simple History <= 0.5 - Authenticated (Admin+) Local File Inclusion

Vendor Eskapism
Product Developer Loggers for Simple History
Weakness CWE-22 · Path traversal
Published September 17, 2025
Last update April 8, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Explanation of Vulnerability in Simple Terms

02Summary

Developer Loggers for Simple History versions 0.5 and earlier contain a path traversal vulnerability that allows high-privileged users to read or write arbitrary files on the server. An attacker with admin-level access can exploit this by crafting malicious file paths to access files outside the intended directory. This affects confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Read or write arbitrary files on the server filesystem.

Potential impact on your site

04Site Impact

A compromised admin account could expose sensitive files or modify site configuration and data.

Conditions required to exploit

05Prerequisites

Attacker must have high-level admin privileges and network access to the site.

Key dates

06Disclosure timeline

September 17, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE