A critical vulnerability has been identified in the Debug Log Manager plugin during the testing phase. Specifically, a Directory Listing vulnerability was uncovered, enabling unauthorized users to download debug logs without proper authorization. This flaw in the plugin exposes sensitive data, potentially leading to security breaches and unauthorized access.

Main info:

PluginDebug Log Manager < 2.3.0
All Time13 643
Active installations2000+
Publicly PublishedDecember 14, 2023
Last UpdatedDecember 14, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A3: Sensitive Data Exposure
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6383
Plugin Security Certification by CleanTalk


November 2, 2023Plugin testing and vulnerability detection in the Debug Log Manager plugin have been completed
November 2, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
November 28, 2023The author fixed the vulnerability and released the plugin update
December 14, 2023Registered CVE-2023-6383

Discovery of the Vulnerability

During testing of the plugin, a Directory listing vulnerability was discovered, which allows you to download debug log without authorization and gain access to sensitive data.

Understanding of Directory Listing attack’s

Directory Listing vulnerabilities involve the unintended exposure of directory contents, allowing unauthorized users to view and download files. In WordPress, this could lead to the inadvertent disclosure of sensitive logs, configurations, or other critical data. Real-world examples underscore the risk of attackers leveraging directory listings to gain insights into the site’s internal structure and access sensitive logs without proper authorization.

Exploiting the Directory Listing Vulnerability

Exploiting this vulnerability in Debug Log Manager entails utilizing the exposed directory listing to download debug logs without the need for proper authorization. Attackers may use this information to gather insights into the site’s operations, potentially uncovering sensitive data and compromising the security of the application.


1) Go to https://your_site/wordpress/wp-content/uploads/debug-log-manager/


The potential risk associated with this vulnerability is significant. In real-world scenarios, attackers could exploit the exposed directory listing to access and download debug logs containing sensitive information. This information might include error details, configurations, or other log entries critical to the proper functioning and security of the WordPress site. Unauthorized access to such logs could lead to security breaches, data manipulation, and other malicious activities.

To address and mitigate the risk posed by the Directory Listing vulnerability in the Job Manager & Career plugin, the following recommendations are advised:

  • Directory Security Measures: Implement robust security measures for directories, including access controls and regular audits to promptly detect and address vulnerabilities.
  • Access Control: Ensure that access controls are appropriately configured, restricting access to sensitive logs only to authorized personnel.
  • Plugin Update: Regularly update the Debug Log Manager plugin with the latest security patches to address this vulnerability.
  • Security Audits: Conduct regular security audits to identify and rectify any potential vulnerabilities within the WordPress environment.

By implementing these security measures, administrators can significantly reduce the risk of unauthorized access to sensitive logs through the Directory Listing vulnerability in the Debug Log Manager plugin.

#WordPressSecurity #DirectoryListing #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-6383 – Debug Log Manager – Directory Listing to Sensitive logs exposure – POC

Leave a Reply

Your email address will not be published. Required fields are marked *