Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable web app (AV:N), low complexity (AC:L); the 'Subscriber' requirement implies authentication so PR:L not PR:N; an admin must view the log (UI:R) and the XSS crosses into the admin context (S:C).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
AnalysisAI
Stored/reflected Cross-Site Scripting in Melapress's WP Activity Log WordPress plugin (versions <= 5.6.3.1, reported by Patchstack) lets a low-privileged Subscriber-level user inject script that executes in another user's browser, with a CVSS-rated scope change (S:C) meaning the payload can affect resources beyond the plugin's own security context. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; direct impact is limited (C:L/I:L/A:L) but the cross-context scope and low attack complexity make it relevant for sites that allow open registration.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires WP Activity Log installed at version <= 5.6.3.1 and the attacker being able to submit data that the plugin logs and later renders to a viewer. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed-to-moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a WordPress site that permits open registration, an attacker registers a Subscriber account and performs an action whose attacker-controlled data (e.g., a crafted profile field, request parameter, or other logged value) is captured by WP Activity Log without proper encoding. When an administrator later opens the activity log to review events, the stored script executes in the admin's authenticated browser session and can perform actions as that admin. … |
| Remediation | Update WP Activity Log to a release later than 5.6.3.1 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-security-audit-log/vulnerability/wordpress-wp-activity-log-plugin-5-6-3-1-cross-site-scripting-xss-vulnerability); no exact patched version number is independently confirmed from the available data, so verify the fixed version directly with the vendor (Melapress) before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress installations running Melapress WP Activity Log and document version numbers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Activity Log
View allThe WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all ve
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all
DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authen
WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely explo
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all v
The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the
The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. R
The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing cap
The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and incl
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39374
GHSA-fr34-xvr7-v6g8