Description
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data exfiltration via SQL injection (authenticated user)
Action: Immediate Patch
AI Analysis

Impact

The coreActivity plugin for WordPress contains an SQL Injection flaw that can be exploited through the ‘order’ and ‘orderby’ parameters in versions 2.7 and earlier. Because the plugin builds its query without sufficient escaping or parameterization, an authenticated user with Subscriber level or higher can inject additional SQL statements and read sensitive data from the database. This vulnerability is a classic example of CWE‑89 due to unsafe query construction.

Affected Systems

The vulnerability affects the gdragon coreActivity: Activity Logging for WordPress plugin, specifically all releases up to and including version 2.7. Users of the plugin on any WordPress site that have Subscriber or higher privileges are at risk.

Risk and Exploitability

With a CVSS score of 6.5 the flaw is considered moderate in severity. Its EPSS score of less than 1% suggests that it is unlikely to be actively exploited in the wild, and it is not listed in CISA’s KEV catalog. Nevertheless, because the exploit requires only an authenticated account and is driven by standard plugin parameters, any potential attacker with Subscriber access could utilize it to read confidential database contents.

Generated by OpenCVE AI on April 20, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the coreActivity plugin to version 2.8 or later where the SQL injection issue has been fixed.
  • If an immediate upgrade is not feasible, remove or disable the plugin for non‑administrator users and limit access to the ‘order’ and ‘orderby’ parameters by sanitizing the input (e.g., using WordPress’s sanitize_text_field or $wpdb->prepare before query construction).
  • After applying a fix or mitigation, audit the database for any signs of unauthorized data extraction and consider rotating database credentials as a precautionary measure.

Generated by OpenCVE AI on April 20, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10325 The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 08 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 08:30:00 +0000

Type Values Removed Values Added
Description The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title coreActivity: Activity Logging for WordPress <= 2.7 - Authenticated (Subscriber+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:03.536Z

Reserved: 2025-04-07T20:08:21.506Z

Link: CVE-2025-3436

cve-icon Vulnrichment

Updated: 2025-04-08T13:13:27.851Z

cve-icon NVD

Status : Deferred

Published: 2025-04-08T09:15:29.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')