CVE-2024-35669
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the Bowo Debug Log Manager WordPress plugin. It allows unauthorized users to access debug log files that should be restricted. This affects all WordPress sites running Debug Log Manager versions up to and including 2.3.1.
💻 Affected Systems
- Bowo Debug Log Manager WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could access sensitive debug information containing system paths, configuration details, database credentials, or other sensitive data that could facilitate further attacks.
Likely Case
Attackers with basic WordPress knowledge could access debug logs containing potentially sensitive information about the WordPress installation and plugins.
If Mitigated
With proper authorization controls, only authenticated administrators could access debug logs, limiting exposure to trusted users only.
🎯 Exploit Status
The vulnerability involves broken access control, making exploitation straightforward for attackers who discover the unprotected endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.2 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/debug-log-manager/wordpress-debug-log-manager-plugin-2-3-1-broken-access-control-vulnerability-2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Debug Log Manager' and click 'Update Now'. 4. Alternatively, download version 2.3.2+ from WordPress.org and replace the plugin files manually.
🔧 Temporary Workarounds
Disable Debug Log Manager Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate debug-log-manager
Restrict Access via .htaccess
linuxBlock access to debug log manager endpoints
# Add to .htaccess in WordPress root:
<FilesMatch "debug-log-manager">
Order Deny,Allow
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove the Debug Log Manager plugin entirely if updating is not possible
- Implement web application firewall rules to block requests to debug-log-manager endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Debug Log Manager version. If version is 2.3.1 or earlier, you are vulnerable.Check Version:
wp plugin get debug-log-manager --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.3.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /wp-content/plugins/debug-log-manager/ endpoints
- HTTP 200 responses to debug log manager URLs from unauthenticated users
Network Indicators:
- GET requests to debug-log-manager endpoints without authentication cookies
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/debug-log-manager/*" AND NOT user_agent="WordPress/*"🔗 References
- https://patchstack.com/database/vulnerability/debug-log-manager/wordpress-debug-log-manager-plugin-2-3-1-broken-access-control-vulnerability-2?_s_id=cve
- https://patchstack.com/database/vulnerability/debug-log-manager/wordpress-debug-log-manager-plugin-2-3-1-broken-access-control-vulnerability-2?_s_id=cve
