{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9517", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-26T23:12:09.112Z", "datePublished": "2025-09-04T04:23:48.559Z", "dateUpdated": "2026-04-08T17:10:59.857Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:59.857Z"}, "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Remote Code Execution", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99fc02ea-5399-4ff2-a5f9-27878cadf40d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-27T19:44:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-04T16:59:16.936921Z", "id": "CVE-2025-9517", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:01:42.032Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9517", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-04T16:59:16.936921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:00:18.240Z"}}], "cna": {"title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-27T19:44:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99fc02ea-5399-4ff2-a5f9-27878cadf40d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-09-04T04:23:48.559Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9517", "state": "PUBLISHED", "dateUpdated": "2025-09-04T17:01:42.032Z", "dateReserved": "2025-08-26T23:12:09.112Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-04T04:23:48.559Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server."}], "id": "CVE-2025-9517", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-04T10:42:35.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/99fc02ea-5399-4ff2-a5f9-27878cadf40d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:17:45.572139+00:00", "value": {"mitigation_remediation": ["Upgrade the atec Debug plugin to a version newer than 1.2.22.", "If an upgrade is not immediately possible, disable or uninstall the atec Debug plugin until a fix can be applied.", "Restrict access to Administrator accounts and ensure that any custom log paths are properly sanitized or blocked from user input."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the atec Debug plugin for WordPress, version 1.2.22 and all earlier releases. The affected product is maintained by the vendor docjojo and is designed to assist developers with debugging WordPress sites.", "description_and_impact": "The atec Debug WordPress plugin contains a remote code execution flaw triggered by the custom_log parameter. When an attacker with Administrator or higher privileges supplies a malicious value for this parameter, the plugin's inadequate sanitization allows the data to be executed on the server. This flaw gives the attacker full control over the host, potentially leading to data theft, defacement, or further compromise of connected systems.", "risk_and_exploitability": "The CVSS score of 7.2 indicates moderate to high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The exploit requires authenticated access with Administrator rights, and because the flaw is within a plugin the vulnerability is confined to sites that have the atec Debug plugin installed and are running an unpatched version. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no known widespread exploitation yet."}}}}, "created": "2025-09-04T13:12:10.495382+00:00", "updated": "2026-04-21T03:30:26.329845+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}