CVE-2025-0924
Published: 17 February 2025
Description
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2025-0924 is a stored cross-site scripting (XSS) vulnerability in the WP Activity Log plugin for WordPress, affecting all versions up to and including 5.2.2. The flaw stems from insufficient input sanitization and output escaping of the 'message' parameter, allowing arbitrary web scripts to be injected into pages. It has been assigned CWE-79 and a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), highlighting its high severity due to network accessibility, low attack complexity, and changed scope.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction by submitting malicious payloads via the 'message' parameter. Once injected, the scripts persist in the database and execute in users' browsers whenever they access the affected pages, potentially leading to session hijacking, defacement, or theft of sensitive data like admin credentials.
Advisories and plugin repository references, including Wordfence threat intelligence and WordPress trac changesets such as 3238760, point to mitigation through updating the WP Activity Log plugin to a patched version beyond 5.2.2. Source code diffs in class-alert-manager.php and class-alert.php illustrate the sanitization fixes applied. Security practitioners should scan environments for vulnerable installations and apply updates promptly via the official WordPress plugin directory.
Details
- CWE(s)