The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due improper sanitization within the append_debug_info_to_context() function in versions prior 5.8.1. When enabled, plugin’s logger captures entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever user submits login form, whether native wp_login third‐party widget, their actual password written clear text into logs. An authenticated attacker whose actions generate event will have recorded; an administrator (or anyone with database read access) can then those logs and retrieve every captured password.