WordPress coreActivity: Activity Logging for WordPress plugin <= 3.0 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by ? in WordPress Plugin coreActivity: Activity Logging plugin for WordPress versions = 3.0...

CVE-2026-7635

The CVE-2026-7635 entry concerns the coreActivity: Activity Logging for WordPress plugin for WordPress, affected up to version 3.0. The vulnerability arises from unsanitized PHP serialization in the User-Agent header stored to the logmeta table and later deserialized via maybe_unserialize() durin...

CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

WordPress coreActivity plugin < 2.1 - Unauthenticated IP Spoofing vulnerability

Unauthenticated IP Spoofing vulnerability discovered by Erwan LR WPScan in WordPress Plugin coreActivity: Activity Logging plugin for WordPress versions 2.1...

CVE-2024-0852

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852 coreActivity < 1.8.1 - Unauthenticated Stored XSS

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852 coreActivity < 1.8.1 - Unauthenticated Stored XSS

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

PT-2025-21390

Name of the Vulnerable Software and Affected Versions: coreActivity: Activity Logging for WordPress plugin versions prior to 1.8.1 Description: The issue allows unauthenticated users to perform a Stored XSS attack against high-privilege users, such as administrators, due to the plugin's failure t...

WordPress plugin coreActivity: Activity Logging 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL. WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2025-3436 coreActivity: Activity Logging for WordPress <= 2.7 - Authenticated (Subscriber+) SQL Injection

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

CVE-2025-3436 coreActivity: Activity Logging for WordPress <= 2.7 - Authenticated (Subscriber+) SQL Injection

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

CVE-2025-3436

CVE-2025-3436 affects the WordPress plugin “coreActivity: Activity Logging for WordPress.” The vulnerability is an SQL injection in the query built from user-supplied parameters order and orderby, impacting all versions up to and including 2.7. Exploitation requires authentication at Subscriber l...

PT-2025-15412 · WordPress · Coreactivity

Name of the Vulnerable Software and Affected Versions: coreActivity: Activity Logging plugin for WordPress versions prior to 2.8 Description: The issue arises from insufficient escaping of user-supplied parameters order and orderby, and a lack of proper preparation of existing SQL queries. This...

WordPress plugin coreActivity: Activity Logging SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A SQL injection vulnerability exists in...

CVE-2024-0868

The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value...

CVE-2024-0868 coreActivity < 2.1 - Unauthenticated IP Spoofing

The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value...

CVE-2024-0868 coreActivity < 2.1 - Unauthenticated IP Spoofing

The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value...