CVE-2026-5130 HIGH

CVE-2026-5130: Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation

Vendor Jhimross
Product Debugger & Troubleshooter
Weakness CWE-565 · Reliance on cookies
Published March 30, 2026
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.

Explanation of Vulnerability in Simple Terms

02Summary

The Debugger & Troubleshooter plugin versions 1.3.2 and earlier contain a flaw that allows authenticated users with low privileges to read sensitive data, modify site content, or disrupt service. The vulnerability requires network access and valid login credentials but no additional user interaction. Site administrators should update immediately to a version newer than 1.3.2.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service availability.

Potential impact on your site

04Site Impact

Any logged-in user can compromise site data, content integrity, or availability without further authorization.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account and network access to the site.

Key dates

06Disclosure timeline

March 30, 2026 CVE published
April 8, 2026 Record updated