Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS.

This issue affects WP Activity Log: from n/a through 5.6.3.
Published: 2026-05-25
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during page rendering allows an attacker to inject and execute malicious JavaScript in the context of a victim’s browser. The DOM‑based XSS flaw permits a malicious script to run when a user views the affected plugin’s interface, potentially leading to session hijacking, credential theft, defacement, or the execution of arbitrary actions with the victim’s privileges.

Affected Systems

The vulnerability impacts the Melapress WordPress plugin WP Activity Log version 5.6.3 and all earlier releases.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, and the issue is not listed in CISA KEV. Because the flaw is DOM‑based, an attacker would likely need to supply crafted input to a page that renders the affected plugin’s data; the precise access conditions are not detailed in the advisory, so the presence of authentication or elevated privileges is inferred but not confirmed. The attack would require the victim’s interaction with the malicious page to trigger the exploit.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Update the WordPress WP Activity Log Plugin to the latest available version (at least 5.6.3.1).

OpenCVE Recommended Actions

  • Update the WP Activity Log plugin to version 5.6.3.1 or later, as released by Melapress.
  • Configure a Content Security Policy that restricts inline scripts and disallows execution from unknown sources to reduce the impact of any remaining XSS vectors.
  • If the plugin is not essential to operations, consider disabling or removing it until the patch is applied.

Generated by OpenCVE AI on May 25, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Melapress
Melapress wp Activity Log
Wordpress
Wordpress wordpress
Vendors & Products Melapress
Melapress wp Activity Log
Wordpress
Wordpress wordpress

Mon, 25 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3.
Title WordPress WP Activity Log plugin <= 5.6.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Melapress Wp Activity Log
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-25T22:28:19.614Z

Reserved: 2026-05-12T13:08:41.669Z

Link: CVE-2026-45435

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T23:30:26Z

Weaknesses