CVE-2025-13494: High-Severity Data Leak in SSP Debug WordPress Plugin

Overview

CVE-2025-13494 identifies a sensitive information exposure vulnerability in the SSP Debug plugin for WordPress. This vulnerability affects all versions of the plugin up to and including 1.0.0. The core issue lies in the plugin’s storage of PHP error logs in a publicly accessible location without proper access controls, potentially revealing sensitive information to unauthorized users.

Technical Details

The SSP Debug plugin, designed to assist with debugging WordPress sites, inadvertently saves PHP error logs to a predictable and web-accessible directory: wp-content/uploads/ssp-debug/ssp-debug.log. Due to the absence of access restrictions on this directory, any unauthenticated attacker can directly access the log file through a web browser. The logs may contain:

• Full URLs of visited pages
• Client IP addresses
• User-Agent strings
• WordPress user IDs
• Internal filesystem paths

The vulnerable code responsible for creating this log file can be found in the ssp-debug.php file of the plugin. You can view it in the plugin’s source code on WordPress.org.

CVSS Analysis

The vulnerability has been assigned a CVSS score of 5.3, indicating a MEDIUM severity. The CVSS vector is likely similar to: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• Attack Vector (AV:N): Network – The vulnerability can be exploited over the network.
• Attack Complexity (AC:L): Low – Exploitation requires minimal effort.
• Privileges Required (PR:N): None – No authentication is required to exploit the vulnerability.
• User Interaction (UI:N): None – No user interaction is required.
• Scope (S:U): Unchanged – An exploited vulnerability cannot affect resources beyond the security scope managed by the security authority.
• Confidentiality (C:L): Low – There is limited disclosure of information.
• Integrity (I:N): None – There is no impact to integrity.
• Availability (A:N): None – There is no impact to availability.

Possible Impact

Successful exploitation of this vulnerability can lead to:

• Information Disclosure: Attackers can gain access to sensitive data, potentially exposing user information, site structure, and internal server paths.
• Account Enumeration: Exposed user IDs can be used to identify valid user accounts on the WordPress site.
• Further Exploitation: The revealed information can be used as a stepping stone for more sophisticated attacks. For example, leaked file paths could be targeted for local file inclusion vulnerabilities if they exist.

Mitigation or Patch Steps

The most effective mitigation is to immediately uninstall the SSP Debug plugin. Since the plugin is vulnerable up to and including version 1.0.0, no patched version exists.

If uninstalling is not immediately possible, consider the following (though this is not a substitute for uninstalling):

• Implement Web Server Access Controls: Configure your web server (e.g., Apache, Nginx) to deny access to the wp-content/uploads/ssp-debug/ directory. This will prevent direct access to the log file. Consult your web server documentation for specific instructions. Example using .htaccess for Apache:

  <Directory ~ "wp-content/uploads/ssp-debug/">
                  Deny from all
              </Directory>
              

References

• CVE ID: CVE-2025-13494
• SSP Debug Plugin Source Code (v1.0.0): plugins.trac.wordpress.org
• SSP Debug Plugin Source Code (Trunk): plugins.trac.wordpress.org
• Wordfence Threat Intelligence: wordfence.com