Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action wp-log-action allows Reflected XSS.This issue affects WP Log Action: from n/a through <= 0.51.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during page generation leads to reflected cross‑site scripting in the WP Log Action plugin. CWE‑79 applies because the plugin fails to encode or filter user‑supplied data that is subsequently rendered in a browser. An attacker can inject malicious JavaScript that executes in the context of site visitors, potentially stealing authentication cookies, defacing the page, or redirecting users to malicious sites.

Affected Systems

The vulnerability affects the WordPress WP Log Action plugin, developed by webheadcoder, for all supported versions from n/a through 0.51. Users of any release of this plugin before the recommended update are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% signifies a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, reflected XSS can be triggered via a crafted URL or form submission that the plugin echoes back without proper escaping, making the threat realistic for sites that allow arbitrary input. Mitigation should be applied promptly to avoid client‑side attacks.

Generated by OpenCVE AI on May 1, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Log Action plugin to a version higher than 0.51, which contains the necessary input sanitization fixes.
  • If an upgrade is not immediately possible, suspend or delete the plugin to eliminate the XSS surface area.
  • Implement a strict Content Security Policy that blocks inline scripts for the affected paths and enforce nonce‑based script execution to reduce the impact if an attacker manages to inject code.

Generated by OpenCVE AI on May 1, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11603 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action allows Reflected XSS. This issue affects WP Log Action: from n/a through 0.51.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action allows Reflected XSS. This issue affects WP Log Action: from n/a through 0.51. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action wp-log-action allows Reflected XSS.This issue affects WP Log Action: from n/a through <= 0.51.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WP Log Action allows Reflected XSS. This issue affects WP Log Action: from n/a through 0.51.
Title WordPress WP Log Action Plugin <= 0.51 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T23:57:11.015Z

Reserved: 2025-01-23T14:51:18.436Z

Link: CVE-2025-24619

cve-icon Vulnrichment

Updated: 2025-04-17T17:43:17.572Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:32.810

Modified: 2026-06-17T08:59:19.750

Link: CVE-2025-24619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')