Vulnerabilities and security researches forwp-security-audit-log wp-security-audit-log

Direction: ascending

Jun 07, 2024

WP Activity Log # CVE-2014-5072

CVE, Research URL: CVE-2014-5072
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Apr 06, 2018
Research Description: Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Affected versions: max 1.2.5.
Status: vulnerable

WP Activity Log # CVE-2018-8719

CVE, Research URL: CVE-2018-8719
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Apr 05, 2018
Research Description: An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.
Affected versions: Min 1.5, max 3.1.2.
Status: vulnerable

WP Activity Log # CVE-2023-2285

CVE, Research URL: CVE-2023-2285
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.5.2.
Status: vulnerable

WP Activity Log # CVE-2020-36716

CVE, Research URL: CVE-2020-36716
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 07, 2023
Research Description: The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.
Affected versions: max 4.5.2.
Status: vulnerable

WP Activity Log # CVE-2023-2286

CVE, Research URL: CVE-2023-2286
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 4.5.2.
Status: vulnerable

WP Activity Log # CVE-2023-2284

CVE, Research URL: CVE-2023-2284
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings.
Affected versions: max 4.5.2.
Status: vulnerable

WP Activity Log # CVE-2023-2261

CVE, Research URL: CVE-2023-2261
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with subscriber-level access or higher, to obtain a list of users with accounts on the site. This includes ids, usernames and emails.
Affected versions: Min 1.5, max 4.5.2.
Status: vulnerable

WP Activity Log # CVE-2023-50905

CVE, Research URL: CVE-2023-50905
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 29, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.
Affected versions: max 4.6.2.
Status: vulnerable

Nov 14, 2024

WP Activity Log # CVE-2022-4974

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 4.4.0.
Status: vulnerable

Nov 16, 2024

WP Activity Log # CVE-2024-10793

CVE, Research URL: CVE-2024-10793
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Nov 15, 2024
Research Description: The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
Affected versions: max 5.2.2.
Status: vulnerable

Feb 17, 2025

WP Activity Log # CVE-2025-0924

CVE, Research URL: CVE-2025-0924
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 17, 2025
Research Description: The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.3.0.
Status: vulnerable

Mar 05, 2025

WP Activity Log # CVE-2025-0767

CVE, Research URL: CVE-2025-0767
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 28, 2025
Research Description: WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.
Affected versions: max 5.3.3.
Status: vulnerable

Aug 21, 2025

WP Activity Log # PSC-2025-64589

PSC, Research URL: PSC-2025-64589
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Aug 26, 2025
Research Description: WP Activity Log is a powerful WordPress plugin designed to provide detailed, real-time logging of all activities across your WordPress sites and multisite networks. From user login attempts to changes in posts, plugins, themes, and settings, this plugin gives administrators full visibility into everything that happens on their websites. With its granular event tracking, WP Activity Log helps site owners improve security, accountability, compliance, and troubleshooting. Administrators can detect suspicious activity before it escalates, meet compliance standards such as GDPR and PCI DSS, and streamline user management with accurate records of who did what, when, and from where. By ensuring every action is logged, WP Activity Log provides a transparent and secure environment, making it a vital tool for businesses, agencies, and security professionals managing WordPress-powered sites.
Affected versions: Min 5.6.4, max 5.6.4.
Status: SAFE & CERTIFIED

Feb 27, 2026

WP Activity Log # CVE-2026-25331

CVE, Research URL: CVE-2026-25331
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 19, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log wp-security-audit-log allows DOM-Based XSS.This issue affects WP Activity Log: from n/a through <= 5.5.4.
Affected versions: max 5.6.0.
Status: vulnerable

May 26, 2026

WP Activity Log # CVE-2026-45435

CVE, Research URL: CVE-2026-45435
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: May 26, 2026
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3.
Affected versions: max 5.6.3.1.
Status: vulnerable

Jun 14, 2026

WP Activity Log # CVE-2023-33999

CVE, Research URL: CVE-2023-33999
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 11, 2026
Research Description: Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions: Min 1.5, max 4.4.3.
Status: vulnerable

Jun 16, 2026

WP Activity Log # b206c85207184c90b5da8fadceb9e030e85ab1b6

CVE, Research URL: b206c85207184c90b5da8fadceb9e030e85ab1b6
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Nov 14, 2020
Research Description: WP Activity Log [wp-security-audit-log] < 4.1.5 WordPress WP Activity Log plugin <= 4.1.4 - SQL Injection (SQLi) in External Database Module vulnerability SQL Injection (SQLi) in External Database Module vulnerability found by WP deeply in WordPress WP Activity Log plugin (versions <= 4.1.4 ).
Affected versions: max 4.1.5.
Status: vulnerable

WP Activity Log # b7bae5d02d2da5afeaae72c8ac7f132274650ed9

CVE, Research URL: b7bae5d02d2da5afeaae72c8ac7f132274650ed9
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Mar 02, 2019
Research Description: WP Activity Log [wp-security-audit-log] < 3.3.1.2 WordPress WP Security Audit Log <=3.3.1.1 - Authenticated Option Update vulnerability (Fremius Library security issue) Authenticated Option Update vulnerability (Fremius Library security issue) found in WordPress WP Security Audit Log (versions <=3.3.1.1).
Affected versions: max 3.3.1.2.
Status: vulnerable

WP Activity Log # 423db6f18e40bada4f753f75004f47b51c4f8620

CVE, Research URL: 423db6f18e40bada4f753f75004f47b51c4f8620
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 27, 2017
Research Description: WP Activity Log [wp-security-audit-log] < 2.4.4 WordPress WP Security Audit Log plugin <= 2.4.3 - Reflected Cross-Site Scripting (XSS) Vulnerability Reflected Cross-Site Scripting (XSS) Vulnerability exists in AjaxDisableCustomField() function, in the file /wp-security-audit-log.php. The "notice" variable is printed on the front-end without escaping it. Update the plugin.
Affected versions: max 2.4.4.
Status: vulnerable

WP Activity Log # 6ff37c2e-e21d-4abc-bafe-8ca6a2c1ed76

CVE, Research URL: 6ff37c2e-e21d-4abc-bafe-8ca6a2c1ed76
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: -
Research Description: WP Activity Log [wp-security-audit-log] < 3.3.1.2 Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options
Affected versions: max 3.3.1.2.
Status: vulnerable

WP Activity Log # 811a04839242bd189bf9b866f09bc65da4e8e353

CVE, Research URL: 811a04839242bd189bf9b866f09bc65da4e8e353
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Nov 04, 2020
Research Description: WP Activity Log [wp-security-audit-log] < 4.1.5 WP Activity Log <= 4.1.4 - SQL Injection The WP Activity Log plugin for WordPress is vulnerable to SQL Injection via multiple parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 4.1.5.
Status: vulnerable

WP Activity Log # f53f1894e144f41b1cd5bcd4f0aad0770337d1ff

CVE, Research URL: f53f1894e144f41b1cd5bcd4f0aad0770337d1ff
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 28, 2022
Research Description: WP Activity Log [wp-security-audit-log] < 4.4.0 WordPress WP Activity Log plugin < 4.4.0 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress WP Activity Log plugin (versions < 4.4.0).
Affected versions: max 4.4.0.
Status: vulnerable

WP Activity Log # 24301bb430992c87d3e0d632fc40dc519c6ea787

CVE, Research URL: 24301bb430992c87d3e0d632fc40dc519c6ea787
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Mar 08, 2020
Research Description: WP Activity Log [wp-security-audit-log] < 4.0.2 WordPress WP Security Audit Log plugin <= 4.0.1 - Broken Access Control vulnerability Broken Access Control vulnerability discovered by NinTechNet in WordPress WP Security Audit Log plugin (versions <= 4.0.1).
Affected versions: max 4.0.2.
Status: vulnerable

WP Activity Log # 8d7110c59eeaeea16f7bff36361b3b20f8e5e06d

CVE, Research URL: 8d7110c59eeaeea16f7bff36361b3b20f8e5e06d
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 27, 2016
Research Description: WP Activity Log [wp-security-audit-log] < 2.4.4 WordPress Security Audit Log Plugin <= 2.4.3 - Cross Site Scripting This plugin is prone to a cross site scripting vulnerability in the "/wp-security-audit-log.php" file. Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Update the plugin.
Affected versions: max 2.4.4.
Status: vulnerable

WP Activity Log # 9e47a3832653b15f0cb8b31e5cb3a7bbce2d775c

CVE, Research URL: 9e47a3832653b15f0cb8b31e5cb3a7bbce2d775c
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 28, 2022
Research Description: WP Activity Log [wp-security-audit-log] < 4.4.0 WordPress WP Activity Log plugin < 4.4.0 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress WP Activity Log plugin (versions < 4.4.0).
Affected versions: max 4.4.0.
Status: vulnerable

WP Activity Log # 6dae6dca-7474-4008-9fe5-4c62b9f12d0a

CVE, Research URL: 6dae6dca-7474-4008-9fe5-4c62b9f12d0a
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: -
Research Description: WP Activity Log [wp-security-audit-log] < 4.4.0 Unauthorised AJAX Calls via Freemius The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.
Affected versions: max 4.4.0.
Status: vulnerable

WP Activity Log # 6d8910c719b2a132ec93828cd37e418b19cac960

CVE, Research URL: 6d8910c719b2a132ec93828cd37e418b19cac960
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Mar 04, 2022
Research Description: WP Activity Log [wp-security-audit-log] < 4.4.0 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 4.4.0.
Status: vulnerable

WP Activity Log # f7f5606afbdc5801a9e93afbe3a286c95a617d9b

CVE, Research URL: f7f5606afbdc5801a9e93afbe3a286c95a617d9b
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Mar 08, 2020
Research Description: WP Activity Log [wp-security-audit-log] < 4.0.2 WP Activity Log <= 4.0.1 - Missing Authorization The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.
Affected versions: max 4.0.2.
Status: vulnerable

WP Activity Log # 7e57cd4f4859826de00a8e2b09ee24fb7f2d824b

CVE, Research URL: 7e57cd4f4859826de00a8e2b09ee24fb7f2d824b
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 25, 2019
Research Description: WP Activity Log [wp-security-audit-log] < 3.3.1.2 Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update The Freemius SDK for WordPress is vulnerable to authorization bypass due to a missing capability check on the _get_db_option and _set_db_option functions in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change site settings and potentially take over the site.
Affected versions: max 3.3.1.2.
Status: vulnerable

WP Activity Log # da8225bf69bb6d6edfa71c5601415a515ed073f1

CVE, Research URL: da8225bf69bb6d6edfa71c5601415a515ed073f1
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Mar 08, 2023
Research Description: WP Activity Log [wp-security-audit-log] < 4.0.2 WordPress WP Activity Log Plugin <= 4.0.1 is vulnerable to Broken Access Control Update the WordPress WP Activity Log plugin to the latest available version (at least 4.0.2). Jerome Bruandet (NinTechNet) discovered and reported this Broken Access Control vulnerability in WordPress WP Activity Log Plugin. This vulnerability has been fixed in version 4.0.2.
Affected versions: max 4.0.2.
Status: vulnerable

WP Activity Log # 07ea4892a30a27b952c46754c12677a5b88cefb2

CVE, Research URL: 07ea4892a30a27b952c46754c12677a5b88cefb2
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 27, 2016
Research Description: WP Activity Log [wp-security-audit-log] >= 1.5 - <= 2.4.3 WP Activity Log 1.5 - 2.4.3 - Reflected Cross-Site Scripting The WP Activity Log plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘notice’ parameter in versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min 1.5, max 2.4.3.
Status: vulnerable

WP Activity Log # 4ec13b3c-7fc9-4d9a-98f5-e59187d128a4

CVE, Research URL: 4ec13b3c-7fc9-4d9a-98f5-e59187d128a4
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: -
Research Description: WP Activity Log [wp-security-audit-log] < 4.1.5 WP Activity Log < 4.1.5 - SQL Injection in External Database Module Two SQL Injection vulnerabilities were identified in the WP Activity Log WordPress plugin. The changelog of the plugin states: "SQL Injection in external database module reported by WP deeply. Thank you for the responsible disclosure."
Affected versions: max 4.1.5.
Status: vulnerable

WP Activity Log # 91e568d3-ba3d-4941-bb58-4f6630d2cded

CVE, Research URL: 91e568d3-ba3d-4941-bb58-4f6630d2cded
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: -
Research Description: WP Activity Log [wp-security-audit-log] >= 1.5 - <= 2.4.3 WP Security Audit Log 1.5-2.4.3 - Authenticated Reflected Cross-Site Scripting (XSS) The WP Activity Log WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting (XSS) security vulnerability.
Affected versions: Min 1.5, max 2.4.3.
Status: vulnerable

Jun 18, 2026

WP Activity Log # CVE-2026-54806

CVE, Research URL: CVE-2026-54806
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 17, 2026
Research Description: Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.
Affected versions: max 5.6.4.
Status: vulnerable