The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Melapress |
|
No data.
No data.
References
History
Fri, 15 Nov 2024 19:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Melapress
Melapress wp Activity Log |
|
| CPEs | cpe:2.3:a:melapress:wp_activity_log:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Melapress
Melapress wp Activity Log |
|
| Metrics |
ssvc
|
Fri, 15 Nov 2024 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page. | |
| Title | WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-15T05:30:56.843Z
Updated: 2024-11-15T18:15:26.182Z
Reserved: 2024-11-04T15:17:43.499Z
Link: CVE-2024-10793
Vulnrichment
Updated: 2024-11-15T18:13:22.974Z
NVD
Status : Awaiting Analysis
Published: 2024-11-15T06:15:04.370
Modified: 2024-11-15T13:58:08.913
Link: CVE-2024-10793
Redhat
No data.