Vulnerabilities and security researches forwp-security-audit-log wp-security-audit-log

Jun 07, 2024

CVE, Research URL: CVE-2014-5072
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Apr 06, 2018
Research Description: Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2018-8719
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Apr 05, 2018
Research Description: An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2285
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2020-36716
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 07, 2023
Research Description: The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2286
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2284
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-2261
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Jun 09, 2023
Research Description: The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with subscriber-level access or higher, to obtain a list of users with accounts on the site. This includes ids, usernames and emails.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-50905
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 29, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.
Affected versions: Min -, max -.
Status: vulnerable

Nov 14, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: Min -, max -.
Status: vulnerable

Nov 16, 2024

CVE, Research URL: CVE-2024-10793
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Nov 15, 2024
Research Description: The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Feb 17, 2025

CVE, Research URL: CVE-2025-0924
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 17, 2025
Research Description: The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Mar 05, 2025

CVE, Research URL: CVE-2025-0767
Home page URL: Security reports for WP Activity Log
Application: WP Activity Log
Date: Feb 28, 2025
Research Description: WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.
Affected versions: Min -, max -.
Status: vulnerable