Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-5760
CVE-2025-5760:
WordPress vulnerability analysis and mitigation
Overview
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode in versions prior to 5.8.1. The vulnerability (CVE-2025-5760) was discovered on June 6, 2025. When Detective Mode is enabled, the plugin's logger captures the entire contents of $POST (and sometimes raw request bodies or $GET) without properly redacting password-related keys. This affects the appenddebuginfotocontext() function (CVE Details, WordPress Plugin).
Technical details
The vulnerability stems from insufficient sanitization in the appenddebuginfotocontext() function. When Detective Mode is enabled, the plugin logs all POST and GET data, including sensitive password fields from login forms. This affects both native WordPress login (wplogin) and third-party login widgets. The issue was particularly noticeable in the detectivemodepostraw field, which stored passwords in plain text, while other fields properly masked them with asterisks (GitHub Issue, WordPress Forum).
Impact
When exploited, this vulnerability allows any authenticated attacker or user whose actions generate a login event to have their password recorded in clear text. Additionally, administrators or users with database read access can retrieve all captured passwords from the logs (CVE Details).
Mitigation and workarounds
The vulnerability has been patched in version 5.8.1 of the Simple History plugin. The fix includes improved password field masking and removal of raw post data from Detective Mode data. Users are advised to update to the latest version immediately. For those unable to update, it is recommended to disable Detective Mode until the update can be applied (GitHub Commit).
Community reactions
The vulnerability was initially reported through the WordPress support forums, where users expressed concerns about compliance with security standards like NIST SP 800-63, ISO 27001, and GDPR. The plugin's author, Pär Thernström, responded promptly to the report and released a fix after confirming the issue with third-party login systems (WordPress Forum).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management