Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

User Activity Log

Source -

CNA

CNA CVEs -

8

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
8Vulnerabilities found
CVE-2025-13471
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 3.77%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 06:00
Updated-29 Jan, 2026 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

Action-Not Available
Vendor-Unknown
Product-User Activity Log
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-11877
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.10% / 26.81%
||
7 Day CHG+0.03%
Published-07 Jan, 2026 | 08:21
Updated-08 Jan, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access.

Action-Not Available
Vendor-solwininfotech
Product-User Activity Log
CWE ID-CWE-862
Missing Authorization
CVE-2024-31356
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.6||HIGH
EPSS-0.31% / 54.09%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 16:19
Updated-02 Aug, 2024 | 01:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress User Activity Log plugin <= 1.8 - Auth. SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log.This issue affects User Activity Log: from n/a through 1.8.

Action-Not Available
Vendor-Solwin Infotech
Product-User Activity Log
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-37966
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 62.69%
||
7 Day CHG~0.00%
Published-31 Oct, 2023 | 14:57
Updated-05 Sep, 2024 | 17:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress User Activity Log Plugin <= 1.6.2 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin Infotech User Activity Log user-activity-log allows SQL Injection.This issue affects User Activity Log: from n/a through 1.6.2.

Action-Not Available
Vendor-solwininfotechSolwin Infotech
Product-user_activity_logUser Activity Log
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-4279
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-2.06% / 83.56%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 11:27
Updated-23 Apr, 2025 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log < 1.6.7 - IP Spoofing

This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_logUser Activity Log
CWE ID-CWE-290
Authentication Bypass by Spoofing
CVE-2023-4269
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 29.78%
||
7 Day CHG~0.00%
Published-04 Sep, 2023 | 11:26
Updated-23 Apr, 2025 | 16:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log < 1.6.6 - Subscriber+ Log Export

The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_logUser Activity Log
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-3435
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-0.63% / 69.80%
||
7 Day CHG~0.00%
Published-14 Aug, 2023 | 19:10
Updated-09 Oct, 2024 | 13:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log < 1.6.5 - Unauthenticated SQLi

The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_logUser Activity Log
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-2761
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.20% / 41.50%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 10:20
Updated-24 Oct, 2024 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User Activity Log < 1.6.3 - Admin+ SQL Injection

The User Activity Log WordPress plugin before 1.6.3 does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin.

Action-Not Available
Vendor-solwininfotechUnknown
Product-user_activity_logUser Activity Log
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')