CVE-2025-5760
📋 TL;DR
The Simple History WordPress plugin versions before 5.8.1 expose user passwords in clear text when Detective Mode is enabled. When users submit login forms, their actual passwords are written to the plugin's logs without redaction. This affects any WordPress site using vulnerable plugin versions where Detective Mode is enabled, potentially exposing passwords to administrators or anyone with database access.
💻 Affected Systems
- WordPress Simple History Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
All user passwords on the WordPress site are exposed in clear text logs, allowing complete account takeover, privilege escalation, and credential reuse attacks across other systems.
Likely Case
Administrators or users with database access discover passwords in logs, leading to targeted account compromises and potential credential stuffing attacks.
If Mitigated
With Detective Mode disabled and proper access controls, passwords are not logged, limiting exposure to only what's captured through other logging mechanisms.
🎯 Exploit Status
Exploitation requires Detective Mode to be enabled and access to the Simple History logs (typically via WordPress admin or database access). No special tools needed - just reading the logs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.1
Vendor Advisory: https://simple-history.com/support/detective-mode/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Simple History plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.8.1+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Detective Mode
allTurn off Detective Mode in Simple History plugin settings to prevent password logging
Disable Simple History Plugin
linuxTemporarily deactivate the plugin until patched
wp plugin deactivate simple-history
🧯 If You Can't Patch
- Immediately disable Detective Mode in Simple History settings
- Restrict database and WordPress admin access to only essential personnel
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Simple History → Version. If version is below 5.8.1 and Detective Mode is enabled, the system is vulnerable.Check Version:
wp plugin get simple-history --field=versionVerify Fix Applied:
Verify plugin version is 5.8.1 or higher in WordPress admin panel. Check that password fields are no longer visible in Simple History logs after login attempts.📡 Detection & Monitoring
Log Indicators:
- Clear text passwords in Simple History logs
- Login events with full POST data including password fields
- Detective Mode enabled in plugin settings
Network Indicators:
- Normal HTTP login traffic - no network anomalies
SIEM Query:
source="wordpress" AND "simple-history" AND ("password" OR "pwd" OR "pass") AND NOT "[REDACTED]"🔗 References
- https://github.com/bonny/WordPress-Simple-History/commit/68eab0cab6882eafef4bfece884093eeda5ac018
- https://github.com/bonny/WordPress-Simple-History/issues/546
- https://plugins.trac.wordpress.org/changeset/3267487/
- https://simple-history.com/support/detective-mode/
- https://wordpress.org/plugins/simple-history/#developers
- https://wordpress.org/support/topic/security-vulnerability-passwords-stored-as-plain-text-in-logs/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b6364415-da02-4236-b635-d8fbd27faa33?source=cve
