Skip to main content

WP Activity Log CVE-2026-56005

| EUVDEUVD-2026-39374 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 Patchstack GHSA-fr34-xvr7-v6g8
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable web app (AV:N), low complexity (AC:L); the 'Subscriber' requirement implies authentication so PR:L not PR:N; an admin must view the log (UI:R) and the XSS crosses into the admin context (S:C).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:21 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.

AnalysisAI

Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege Subscriber account
Delivery
Submit crafted input logged by plugin
Exploit
Payload stored in activity log
Execution
Admin opens activity log viewer
Persist
Script executes in admin session
Impact
Actions performed as administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires WP Activity Log installed at version <= 5.6.3.1 and the attacker being able to submit data that the plugin logs and later renders to a viewer. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a WordPress site that permits open registration, an attacker registers a Subscriber account and performs an action whose attacker-controlled data (e.g., a crafted profile field, request parameter, or other logged value) is captured by WP Activity Log without proper encoding. When an administrator later opens the activity log to review events, the stored script executes in the admin's authenticated browser session and can perform actions as that admin. …
Remediation Update WP Activity Log to a release later than 5.6.3.1 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-security-audit-log/vulnerability/wordpress-wp-activity-log-plugin-5-6-3-1-cross-site-scripting-xss-vulnerability); no exact patched version number is independently confirmed from the available data, so verify the fixed version directly with the vendor (Melapress) before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress installations running Melapress WP Activity Log and document version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-36716 HIGH POC
7.3 Jun 07

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the

CVE-2026-54806 CRITICAL
9.8 Jun 17

Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote

CVE-2024-2018 HIGH
8.8 Apr 09

The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all ve

CVE-2025-0924 HIGH
7.2 Feb 17

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all

CVE-2026-45435 MEDIUM
6.5 May 25

DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authen

CVE-2025-0767 MEDIUM
6.3 Feb 27

WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely explo

CVE-2024-10793 MEDIUM
6.1 Nov 15

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all v

CVE-2023-2261 MEDIUM
4.3 Jun 09

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the

CVE-2023-2286 MEDIUM
4.3 Jun 09

The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. R

CVE-2023-2284 MEDIUM
4.3 Jun 09

The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing cap

CVE-2023-2285 MEDIUM
4.3 Jun 09

The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and incl

Share

CVE-2026-56005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy