The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
Metrics
Affected Vendors & Products
References
History
Tue, 19 Nov 2024 21:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:melapress:wp_activity_log:*:*:*:*:*:wordpress:*:* |
Fri, 15 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Melapress
Melapress wp Activity Log |
|
CPEs | cpe:2.3:a:melapress:wp_activity_log:*:*:*:*:*:*:*:* | |
Vendors & Products |
Melapress
Melapress wp Activity Log |
|
Metrics |
ssvc
|
Fri, 15 Nov 2024 05:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page. | |
Title | WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-15T05:30:56.843Z
Updated: 2024-11-15T18:15:26.182Z
Reserved: 2024-11-04T15:17:43.499Z
Link: CVE-2024-10793
Vulnrichment
Updated: 2024-11-15T18:13:22.974Z
NVD
Status : Analyzed
Published: 2024-11-15T06:15:04.370
Modified: 2024-11-19T21:13:22.783
Link: CVE-2024-10793
Redhat
No data.