CVE-2025-0924

High CVSS: 7.2

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vendor

Melapress

Product

Wp Activity Log

CWE

CWE-79

Yayın Tarihi

2025-02-17 05:15:09

Güncelleme

2025-05-23 17:41:46

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-79 Wp Activity Log HIGH Melapress 2025

Referanslar

https://plugins.trac.wordpress.org/browser/wp-security-audit-log/trunk/classes/Controllers/class-alert-manager.php https://plugins.trac.wordpress.org/browser/wp-security-audit-log/trunk/classes/Controllers/class-alert.php https://plugins.trac.wordpress.org/changeset/3238760/ https://wordpress.org/plugins/wp-security-audit-log/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/91699d32-1768-4d87-a4f2-91969b3e3355?source=cve

Benzer Kayıtlar

Unknown

CVE-2025-3702

Missing Authorization vulnerability in Melapress Melapress File Monitor website-file-changes-monitor allows Exploiting I…

Medium

CVE-2024-9879

The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a S…

Medium

CVE-2024-10009

The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a S…

High

CVE-2025-39565

Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security melapress-login-security allows Ob…

Medium

CVE-2025-2876

The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized lo…

Medium

CVE-2025-0767

WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in…