PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9016 qriouslad CVE debrief

The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage.

Vendor
qriouslad
Product
Debug Log Manager – Conveniently Monitor and Inspect Errors
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-06
Original CVE updated
2026-06-08
Advisory published
2026-06-06
Advisory updated
2026-06-08

Who should care

Administrators of WordPress sites using the Debug Log Manager – Conveniently Monitor and Inspect Errors plugin, especially those relying on the plugin's JavaScript error logging feature.

Technical summary

The plugin registers an AJAX handler, `log_js_errors`, for unauthenticated users. The handler is gated by a nonce that is publicly disclosed in the page HTML when JavaScript error logging is enabled. This allows unauthenticated attackers to inject arbitrary log entries.

Defensive priority

Medium

Recommended defensive actions

  • Update the plugin to a version beyond 2.5.0, if available.
  • Disable the JavaScript error logging feature if not required.
  • Monitor the WordPress debug log for suspicious entries.

Evidence notes

The vulnerability is confirmed by Wordfence, a WordPress security firm. The CVE record and NVD detail provide additional context.

Official resources

CVE-2026-9016 was published on 2026-06-06T05:16:29.657Z and modified on 2026-06-08T14:57:14.757Z.