Cyber Posture

CVE-2026-5130

High

Published: 30 March 2026

Published
30 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5130 is a high-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the core flaw by requiring validation of untrusted inputs like the wp_debug_troubleshoot_simulate_user cookie before using it to override the determine_current_user filter and impersonate users.

AC-3 Access Enforcement good match
prevent

Enforces proper access control by ensuring logical access decisions, such as user impersonation via cookies, align with authorization policies and reject unauthenticated privilege escalation attempts.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of flaws like the unvalidated cookie handling in the plugin, enabling patching to the fixed version 1.4.0 with cryptographic token validation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The unauthenticated remote vulnerability in a public-facing WordPress plugin directly enables exploitation of the application (T1190), privilege escalation to administrator level (T1068), and impersonation/use of valid user accounts via cookie manipulation without validation (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation…

more

or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.

Deeper analysisAI

CVE-2026-5130 is an unauthenticated privilege escalation vulnerability in the Debugger & Troubleshooter plugin for WordPress, affecting versions up to and including 1.3.2. The flaw stems from the plugin directly accepting the value of the wp_debug_troubleshoot_simulate_user cookie as a user ID without any cryptographic validation or authorization checks. This cookie value overrides the determine_current_user filter, enabling attackers to impersonate any user on the site. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-565 (Reliance on Cookies without Validation and Integrity Checking).

Unauthenticated attackers can exploit this vulnerability remotely by simply setting the wp_debug_troubleshoot_simulate_user cookie to the ID of a target user, such as an administrator. Successful exploitation allows full impersonation of the targeted user, granting administrator-level access to perform any privileged actions, including creating new administrator accounts, modifying site content, installing or updating plugins, or achieving complete control over the WordPress site.

The vulnerability was addressed in version 1.4.0 of the plugin through the implementation of a cryptographic token-based validation system. Only administrators can now initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings, preventing the acceptance of arbitrary user IDs. Security advisories, including those from Wordfence, recommend immediate updating to the patched version, with code changes visible in the plugin's WordPress trac repository.

Details

CWE(s)
CWE-565

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2022-50926Shared CWE-565
CVE-2025-64447Shared CWE-565
CVE-2014-125112Shared CWE-565
CVE-2025-14440Shared CWE-565
CVE-2025-65212Shared CWE-565
CVE-2025-2395Shared CWE-565
CVE-2025-59247Shared CWE-565
CVE-2026-39324Shared CWE-565

References