Skip to main content

Wp Activity Log CVE-2023-2285

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-06-09 security@wordfence.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 18:22 nvd
Patch available
CVE Published
Jun 09, 2023 - 13:15 nvd
MEDIUM 4.3

DescriptionCVE.org

The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Affected products include: Wpwhitesecurity Wp Activity Log.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2020-36716 HIGH POC
7.3 Jun 07

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the

CVE-2026-54806 CRITICAL
9.8 Jun 17

Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote

CVE-2024-2018 HIGH
8.8 Apr 09

The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all ve

CVE-2025-0924 HIGH
7.2 Feb 17

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all

CVE-2026-56005 HIGH
7.1 Jun 25

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by

CVE-2026-45435 MEDIUM
6.5 May 25

DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authen

CVE-2025-0767 MEDIUM
6.3 Feb 27

WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely explo

CVE-2024-10793 MEDIUM
6.1 Nov 15

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all v

CVE-2023-2261 MEDIUM
4.3 Jun 09

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the

CVE-2023-2286 MEDIUM
4.3 Jun 09

The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. R

CVE-2023-2284 MEDIUM
4.3 Jun 09

The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing cap

Share

CVE-2023-2285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy