Description
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-17
Score: 7.2 High
EPSS: 6.4% Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

WP Activity Log plugin for WordPress is vulnerable to stored cross‑site scripting via the 'message' parameter in all versions up to 5.2.2. The vulnerability originates from insufficient input sanitization and output escaping. An unauthenticated attacker can submit malicious content through the 'message' field, which is then stored and rendered unescaped in alert pages, allowing a browser to execute the injected script when a user accesses an affected page.

Affected Systems

The flaw affects installations of the Melapress WP Activity Log plugin version 5.2.2 or earlier on WordPress websites. Any WordPress site that has deployed one of these plugin releases is at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate severity, and the EPSS score of 6% denotes a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely reported as actively exploited. An unauthenticated attacker can exploit the flaw by submitting malicious content into the exposed 'message' parameter; the payload is stored and subsequently rendered unescaped in alert pages. Because the script is persisted, any user who views the affected page can be impacted.

Generated by OpenCVE AI on April 22, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP Activity Log to the latest version (5.3 or newer) to remove the vulnerable code path.
  • If the plugin cannot be upgraded immediately, disable or remove it entirely from the site to eliminate the injection vector.
  • Implement a site‑wide Content Security Policy that restricts inline script execution to mitigate the impact of any remaining unescaped script data.

Generated by OpenCVE AI on April 22, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1928 The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.14754}

 epss

{'score': 0.07118}

Fri, 23 May 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Melapress
Melapress wp Activity Log
CPEs cpe:2.3:a:melapress:wp_activity_log:*:*:*:*:*:wordpress:*:*
Vendors & Products Melapress
Melapress wp Activity Log

Tue, 18 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 17 Feb 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Activity Log <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Melapress Wp Activity Log
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:15.144Z

Reserved: 2025-01-31T02:13:49.165Z

Link: CVE-2025-0924

cve-icon Vulnrichment

Updated: 2025-02-18T15:31:52.507Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-17T05:15:09.410

Modified: 2025-05-23T17:41:46.150

Link: CVE-2025-0924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses