CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

CVE-2024-0852

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852 coreActivity < 1.8.1 - Unauthenticated Stored XSS

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

CVE-2024-0852 coreActivity < 1.8.1 - Unauthenticated Stored XSS

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin...

PT-2025-21390

Name of the Vulnerable Software and Affected Versions: coreActivity: Activity Logging for WordPress plugin versions prior to 1.8.1 Description: The issue allows unauthenticated users to perform a Stored XSS attack against high-privilege users, such as administrators, due to the plugin's failure t...

PT-2024-15877 · WordPress · Coreactivity

Name of the Vulnerable Software and Affected Versions: coreActivity: Activity Logging plugin for WordPress versions prior to 2.1 Description: The issue allows users to spoof IP addresses by providing an arbitrary value via headers such as X-FORWARDED, which are used to log IP addresses of request...