What the vulnerability does
01Description
The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Explanation of Vulnerability in Simple Terms
02Summary
Developer Loggers for Simple History versions 0.5 and earlier contain a path traversal vulnerability that allows high-privileged users to read or write arbitrary files on the server. An attacker with admin-level access can exploit this by crafting malicious file paths to access files outside the intended directory. This affects confidentiality, integrity, and availability of the site.
What an attacker can do
03Attacker Capabilities
Read or write arbitrary files on the server filesystem.
Potential impact on your site
04Site Impact
A compromised admin account could expose sensitive files or modify site configuration and data.
Conditions required to exploit
05Prerequisites
Attacker must have high-level admin privileges and network access to the site.
Key dates
06Disclosure timeline
September 17, 2025
CVE published
April 8, 2026
Record updated