421 matches found
CVE-2025-13471 User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 for example to enable User Registration when it has been turned off...
EUVD-2025-206412
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 for example to enable User Registration when it has been turned off...
PT-2026-5057
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 for example to enable User Registration when it has been turned off...
WordPress plugin User Activity Log security vulnerability
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered
Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records Details After wings sends activity logs to the panel it deletes the processed activity entries from t...
CVE-2026-21696 Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditi...
CVE-2023-4279
This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic...
CVE-2023-4269
The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses...
CVE-2016-10891
The aryo-activity-log plugin before 2.3.3 for WordPress has XSS...
CVE-2023-50905
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Melapress WP Activity Log allows Stored XSS.This issue affects WP Activity Log: from n/a through 4.6.1...
CVE-2025-11877
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ualshookwploginfailed' lacks a capability check and writes failed usernames directly into updateoption calls. This makes it possible for unauthenticated attacker...
Exploit for CVE-2025-11877
CVE-2025-11877 User Activity Log - Unauthenticated Limited...
CVE-2024-2018
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry-roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possibl...
CVE-2025-11877 User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ualshookwploginfailed' lacks a capability check and writes failed usernames directly into updateoption calls. This makes it possible for unauthenticated attacker...
CVE-2025-11877
The CVE-2025-11877 issue affects WordPress User Activity Log versions up to 2.2. The vulnerability is in the failed-login handler (ual_shook_wp_login_failed), which lacks a capability check and writes failed usernames into update_option() calls. This allows unauthenticated attackers to push certa...
CVE-2025-11877 User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ualshookwploginfailed' lacks a capability check and writes failed usernames directly into updateoption calls. This makes it possible for unauthenticated attacker...
WordPress User Activity Log plugin <= 2.2 - Unauthenticated Limited Options Update via Failed Login vulnerability
Unauthenticated Limited Options Update via Failed Login vulnerability discovered by shark3y in WordPress Plugin User Activity Log versions = 2.2...
WordPress plugin User Activity Log 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability...
PT-2026-1584
Name of the Vulnerable Software and Affected Versions User Activity Log plugin versions prior to and including 2.2 Description The User Activity Log plugin has an issue where the failed-login handler ual shook wp login failed does not perform a capability check. This allows unauthenticated...
CVE-2025-46556
CVE-2025-46556 – MantisBT (Mantis Bug Tracker) Affected software: MantisBT up to version 2.27.1.Root cause: lack of server-side validation of note length allows extremely long notes to be submitted.Impact: permanently corrupts issue activity logs; the activity stream UI fails to render, preventin...