Platform
wordpress
Component
debugger-troubleshooter
Fixed in
1.3.3
CVE-2026-5130 is an unauthenticated privilege escalation vulnerability in the Debugger & Troubleshooter plugin for WordPress. This flaw allows unauthenticated attackers to impersonate any user, including administrators, by manipulating a cookie value. Successful exploitation grants attackers administrator-level access. This affects versions up to and including 1.3.2. The vulnerability is fixed in version 1.4.0.
CVE-2026-5130 in the Debugger & Troubleshooter WordPress plugin allows for unauthenticated privilege escalation. Versions up to and including 1.3.2 are vulnerable. The issue stems from the plugin directly accepting the wpdebugtroubleshootsimulateuser cookie value as a user ID without any cryptographic validation or authorization checks. This allows an unauthenticated attacker to impersonate any user by simply setting the cookie to their target’s user ID. This vulnerability could allow an attacker to access sensitive information, perform actions on behalf of another user, or even gain full control of the WordPress website.
An attacker could exploit this vulnerability by crafting a cookie with the value of an administrator’s or any other privileged user’s user ID. This cookie can be set via JavaScript in the user’s browser or through other cookie manipulation techniques. Once the cookie is set, the plugin will use this value to determine the current user, allowing the attacker to act as that user. The ease with which this vulnerability can be exploited makes it a significant risk to WordPress websites.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update the Debugger & Troubleshooter plugin to version 1.4.0 or later. This version fixes the flaw by implementing proper validation of the wpdebugtroubleshootsimulateuser cookie value and verifying authorization before using it to determine the current user. In the meantime, as a temporary mitigation measure, it is recommended to disable the plugin if it is not absolutely necessary. It is crucial to apply this update as soon as possible to protect your WordPress website from potential attacks.
Update to version 1.4.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's an attack that allows a user with limited privileges to gain access to functions or data they normally wouldn’t be able to access.
Check the version of the Debugger & Troubleshooter plugin. If it's older than 1.4.0, it's vulnerable.
Disable the plugin temporarily until you can update it.
Ensure all your plugins and WordPress core are updated. Use strong passwords and consider implementing a web application firewall (WAF).
You can find more information in the CVE vulnerability database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-5130
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.