Vulnerabilities and security researches foruser-activity-log user-activity-log

Jun 07, 2024

CVE, Research URL: CVE-2023-3435
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Aug 15, 2023
Research Description: The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.
Affected versions: max 1.6.6.
Status: vulnerable

CVE, Research URL: d3f2489e82d0ec4cee04bbfb445022606b02a5a5
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Jul 29, 2017
Research Description: User Activity Log [user-activity-log] < 1.6.2 WordPress User Activity Log Plugin <= 1.2.3 - Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities There's no escaping done for $from_email and $to_email variables. Also, there's missing a nonce check. Update the plugin.
Affected versions: max 1.6.2.
Status: vulnerable

CVE, Research URL: CVE-2023-2761
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Jul 24, 2023
Research Description: The User Activity Log WordPress plugin before 1.6.3 does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin.
Affected versions: max 1.6.3.
Status: vulnerable

CVE, Research URL: CVE-2023-4279
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Sep 04, 2023
Research Description: This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
Affected versions: max 1.6.7.
Status: vulnerable

CVE, Research URL: CVE-2023-4269
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Sep 04, 2023
Research Description: The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.
Affected versions: max 1.6.6.
Status: vulnerable

CVE, Research URL: CVE-2024-31356
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Apr 10, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log.This issue affects User Activity Log: from n/a through 1.8.
Affected versions: max 2.0.
Status: vulnerable

CVE, Research URL: CVE-2023-37966
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Oct 31, 2023
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log user-activity-log allows SQL Injection.This issue affects User Activity Log: from n/a through 1.6.2.
Affected versions: max 1.6.3.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-11877
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Jan 07, 2026
Research Description: The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access.
Affected versions: max 2.2.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2025-13471
Home page URL: Security reports for User Activity Log
Application: User Activity Log
Date: Jan 28, 2026
Research Description: The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)
Affected versions: max 2.2.
Status: vulnerable