CVE-2024-10788

HIGH

Activity Log <= 2.11.1 - Unauthenticated Stored XSS via Event Parameters

Title source: llm
STIX 2.1

Description

The Activity Log – Monitor & Record User Changes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event parameters in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

Scores

CVSS v3 7.2
EPSS 0.0077
EPSS Percentile 51.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
elemntor/Activity Log – Monitor & Record User Changes < 2.11.1
pojo/activity_log < 2.11.2
Published Nov 21, 2024
Tracked Since Feb 18, 2026