CVE-2018-8729

MEDIUM

WordPress Activity Log <2.4.1 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.

Exploits (2)

exploitdb WRITEUP

by Stefan Broeder · textwebappsphp

https://www.exploit-db.com/exploits/44437

View Code ZIP pw:eip

exploitdb WRITEUP

by Stefan Broeder · textwebappsphp

https://www.exploit-db.com/exploits/44409

View Code ZIP pw:eip

References (5)

Core 5

Core References

Patch, Third Party Advisory x_refsource_misc

https://github.com/pojome/activity-log/commit/950c46b2290c991187ff3471640e9688b16908fb

Patch, Third Party Advisory x_refsource_misc

https://plugins.trac.wordpress.org/changeset/1836276

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44437/

Patch, Release Notes, Third Party Advisory x_refsource_misc

https://github.com/pojome/activity-log/commit/e7bcd12fcb0add82bed762a971f427a360664bd9

Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/aryo-activity-log/#developers

Scores

CVSS v3 6.1

EPSS 0.0326

EPSS Percentile 87.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

pojo/activity_log < 2.4.1

Published Mar 15, 2018

Tracked Since Feb 18, 2026