CVE-2018-8729

MEDIUM

WordPress Activity Log <2.4.1 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-8729. PoCs published by Stefan Broeder.

AI-analyzed exploit summary This is a detailed writeup describing a stored XSS vulnerability in the Activity Log WordPress plugin (version 2.4.0). The vulnerability arises from unsanitized output of post titles in log entries, allowing arbitrary JavaScript execution when viewed.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.

Exploits (2)

exploitdb WRITEUP
by Stefan Broeder · textwebappsphp
https://www.exploit-db.com/exploits/44437

This is a detailed writeup describing a stored XSS vulnerability in the Activity Log WordPress plugin (version 2.4.0). The vulnerability arises from unsanitized output of post titles in log entries, allowing arbitrary JavaScript execution when viewed.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Aryo Activity Log WordPress Plugin 2.4.0
Auth required
Prerequisites: WordPress user role with post/comment/attachment creation privileges
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP
by Stefan Broeder · textwebappsphp
https://www.exploit-db.com/exploits/44409

This is a detailed writeup describing a stored XSS vulnerability in the Activity Log WordPress plugin (version 2.4.0). The vulnerability arises from unsanitized output of post titles in log entries, allowing arbitrary JavaScript execution when viewed.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Aryo Activity Log WordPress Plugin 2.4.0
Auth required
Prerequisites: WordPress user role with post/comment/attachment creation privileges
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/changeset/1836276
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44437/
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/aryo-activity-log/#developers

Scores

CVSS v3 6.1
EPSS 0.0563
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
pojo/activity_log < 2.4.1
Published Mar 15, 2018
Tracked Since Feb 18, 2026