Wp Activity Log
Monthly
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.
WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
DOM-Based Cross-Site Scripting in Melapress WP Activity Log (all versions through 5.6.3) allows a low-privileged, authenticated attacker to inject malicious scripts into the browser DOM of a victim who interacts with crafted content, with scope impact extending beyond the plugin itself. The CVSS vector (PR:L/UI:R/S:C) indicates exploitation requires an existing WordPress account and victim interaction, but the changed scope means successful exploitation can compromise the victim's browser session across the broader WordPress environment. No public exploit code has been identified at time of analysis, and EPSS at 0.03% (10th percentile) signals low observed exploitation probability.
WP Activity Log 5.3.2 was found to be vulnerable. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.