Vulnerabilities and security researches forcoreactivity coreactivity

Apr 09, 2025

CVE, Research URL: CVE-2025-3436
Home page URL: Security reports for coreActivity: Activity Logging plugin for WordPress
Application: coreActivity: Activity Logging plugin for WordPress
Date: Apr 08, 2025
Research Description: The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2024-0852
Home page URL: Security reports for coreActivity: Activity Logging plugin for WordPress
Application: coreActivity: Activity Logging plugin for WordPress
Date: -
Research Description: The coreActivity plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: afd4ba5157d2b746be6f7384dc1b65c3c1fb4c06
Home page URL: Security reports for coreActivity: Activity Logging plugin for WordPress
Application: coreActivity: Activity Logging plugin for WordPress
Date: Jan 26, 2024
Research Description: coreActivity: Activity Logging plugin for WordPress [coreactivity] < 1.8.1 coreActivity <= 1.8 - Unauthenticated Stored Cross-Site Scripting The coreActivity plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-0868
Home page URL: Security reports for coreActivity: Activity Logging plugin for WordPress
Application: coreActivity: Activity Logging plugin for WordPress
Date: Apr 17, 2024
Research Description: The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value
Affected versions: Min -, max -.
Status: vulnerable