WordPress Plugin Vulnerabilities

Activity Log – Monitor & Record User Changes < 2.11.2 - Unauthenticated Stored XSS via Event Context

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the event parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

Affects Plugins

Plugin icon
aryo-activity-log
Fixed in 2.11.2

References

CVE
CVE-2024-10788
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/75324bf1-a00e-4da7-8d42-d224c39ceb79

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
ce6b2788-3c19-4a29-8864-61010435b37d

Timeline

Publicly Published
2024-11-20 (about 1 year ago)
Added
2024-11-22 (about 1 year ago)
Last Updated
2024-11-22 (about 1 year ago)

Other

Published
Title
Published
2021-07-14
Title
Current Book <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2024-08-30
Title
Share This Image < 2.02 - Authenticated (Contributor+) Stored Cross-Site Scripting via alignment Parameter
Published
2023-03-17
Title
Article Directory <= 1.3 - Admin+ Stored XSS
Published
2017-03-01
Title
User Login Log - Stored Cross-Site Scripting (XSS)
Published
2025-01-06
Title
PIXNET Plugin <= 2.9.10 - Authenticated (Subscriber+) Stored Cross-Site Scripting