Security reports forwp-security-audit-log

Security reports forwp-security-audit-log wp-security-audit-log
CVE/PSC	Application	Date	Affected versions	Description
	Actual on: Jun 27, 2025, 06:06:10
	Entries count: 12
CVE-2025-0767	WP Activity Log vulnerable	Mar 05, 2025, 00:03:21	Min - Max 5.3.3	WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.
CVE-2025-0924	WP Activity Log vulnerable	Feb 17, 2025, 15:02:44	Min - Max 5.3.0	The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2014-5072	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 1.2.5	Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2018-8719	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min 1.5 Max 2.4.3	An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.
CVE-2023-2285	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 4.5.2	The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-36716	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 4.5.2	The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.
CVE-2023-2286	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 4.5.2	The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-2284	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 4.5.2	The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings.
CVE-2023-2261	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min 1.5 Max 2.4.3	The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with subscriber-level access or higher, to obtain a list of users with accounts on the site. This includes ids, usernames and emails.
CVE-2023-50905	WP Activity Log vulnerable	Jun 07, 2024, 06:06:10	Min - Max 4.6.2	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.
CVE-2024-10793	WP Activity Log vulnerable	Nov 16, 2024, 11:11:46	Min - Max 5.2.2	The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
CVE-2022-4974	WP Activity Log vulnerable	Nov 14, 2024, 17:11:39	Min - Max 4.4.0	The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

CVE-2025-0767

vulnerable

Mar 05, 2025, 00:03:21

Min -

Max 5.3.3

WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.

CVE-2025-0924

WP Activity Log

vulnerable

Feb 17, 2025, 15:02:44

Min -

Max 5.3.0

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2014-5072

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 1.2.5

Cross-site request forgery (CSRF) vulnerability in WP Security Audit Log plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2018-8719

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min 1.5

Max 2.4.3

An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.

CVE-2023-2285

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 4.5.2

The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2020-36716

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 4.5.2

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.

CVE-2023-2286

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 4.5.2

The WP Activity Log for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_run_cleanup function. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-2284

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 4.5.2

The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings.

CVE-2023-2261

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min 1.5

Max 2.4.3

The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with subscriber-level access or higher, to obtain a list of users with accounts on the site. This includes ids, usernames and emails.

CVE-2023-50905

WP Activity Log

vulnerable

Jun 07, 2024, 06:06:10

Min -

Max 4.6.2

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1.

CVE-2024-10793

WP Activity Log

vulnerable

Nov 16, 2024, 11:11:46

Min -

Max 5.2.2

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

CVE-2022-4974

WP Activity Log

vulnerable

Nov 14, 2024, 17:11:39

Min -

Max 4.4.0

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Security reports forwp-security-audit-log wp-security-audit-log