WordPress Plugin Vulnerabilities

User Activity Log < 1.4.7 - Reflected Cross-Site Scripting

Description

The plugin does not escape the txtsearch parameter before outputting it in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
user-activity-log
Fixed in 1.4.7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Submitter
Jin An
Verified
Yes
WPVDB ID
6f763519-70d3-47c4-9af4-506aea0e78c2

Timeline

Publicly Published
2021-08-30 (about 4 years ago)
Added
2021-08-30 (about 4 years ago)
Last Updated
2021-08-30 (about 4 years ago)

Other

Published
Title
Published
2023-11-08
Title
IdeaPush < 8.53 - Admin+ Stored XSS
Published
2023-04-10
Title
Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS
Published
2024-10-21
Title
Extra Privacy for Elementor <= 0.1.3 - Reflected Cross-Site Scripting
Published
2025-03-27
Title
SearchIQ < 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-17
Title
JSM Screenshot Machine Shortcode < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting