Description
Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a subscriber‑level cross‑site scripting vulnerability in WP Activity Log plugin versions up to 5.6.3.1. It allows an attacker to inject arbitrary JavaScript through user‑controlled input that is displayed in the activity log view. The impact is the execution of malicious scripts in the context of users who view the log, potentially leading to credential theft or defacement.

Affected Systems

The affected software is the WordPress WP Activity Log plugin from Melapress, with all releases up to but not including 5.6.4 vulnerable. Any WordPress installation that has a version of this plugin older than 5.6.4 should be considered at risk.

Risk and Exploitability

With a CVSS score of 7.1 this vulnerability is considered high severity. The EPSS score is not available, making the exact exploitation likelihood uncertain, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is through the WordPress web interface targeting users with the subscriber role who can view the activity log. Successful exploitation would enable an attacker to run arbitrary JavaScript within the victim’s browser context.

Generated by OpenCVE AI on June 25, 2026 at 15:30 UTC.

Remediation

Vendor Solution

Update the WordPress WP Activity Log Plugin to the latest available version (at least 5.6.4).

OpenCVE Recommended Actions

  • Update the WP Activity Log plugin to the latest available version (at least 5.6.4).
  • Review and tighten user role permissions to limit subscriber access to log viewing where possible.
  • Audit recent site activity logs for evidence of XSS payloads or unauthorized script execution before applying the patch.

Generated by OpenCVE AI on June 25, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Melapress
Melapress wp Activity Log
Wordpress
Wordpress wordpress
Vendors & Products Melapress
Melapress wp Activity Log
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in WP Activity Log <= 5.6.3.1 versions.
Title WordPress WP Activity Log plugin <= 5.6.3.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Melapress Wp Activity Log
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:19:35.839Z

Reserved: 2026-06-18T09:31:56.470Z

Link: CVE-2026-56005

cve-icon Vulnrichment

Updated: 2026-06-25T14:19:30.429Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')