Skip to main content

WP Activity Log EUVD-2026-31764

| CVE-2026-45435 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-25 Patchstack GHSA-vx32-gc9p-9pfp
XSS Wp Activity Log
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:51 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS.

This issue affects WP Activity Log: from n/a through 5.6.3.

AnalysisAI

DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege WordPress user
Delivery
Trigger activity log entry with crafted DOM XSS payload
Exploit
Wait for administrator to open activity log page
Execution
Victim browser executes attacker script in admin context
Impact
Exfiltrate session token or perform unauthorized admin action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid, low-privileged WordPress account (PR:L per CVSS vector) on the target site - unauthenticated external attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 6.5 (Medium) reflects a network-accessible, low-complexity attack requiring low privileges and user interaction with changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged WordPress user (e.g., a contributor or editor on a multi-author site) submits content or performs an action that injects a crafted JavaScript payload into data recorded by the WP Activity Log plugin. When a WordPress administrator later navigates to the activity log page to review site events, the victim's browser executes the attacker's script in the admin's session context, potentially enabling session token theft, unauthorized admin actions, or account takeover. …
Remediation Update WP Activity Log to the version released after 5.6.3; the exact patched version is not independently confirmed from the available reference data - verify the current release at the WordPress plugin repository or the Melapress vendor page and apply the latest available version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54806 CRITICAL
9.8 Jun 17

Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote

Share

EUVD-2026-31764 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy