CVE-2024-10793

HIGH

Melapress WP Activity Log < 5.2.2 - XSS

Title source: rule

Description

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.

Exploits (3)

nomisec WORKING POC 2 stars

by MAHajian · poc

https://github.com/MAHajian/CVE-2024-10793

View Code ZIP pw:eip

nomisec WORKING POC

by djayaGit · poc

https://github.com/djayaGit/CVE-2024-10793

View Code ZIP pw:eip

inthewild

poc

https://github.com/windz3r0day/cve-2024-10793

View on inthewild

References (2)

[Product] https://plugins.trac.wordpress.org/browser/wp-security-audit-log/tags/5.2.1/classes/WPSensors/class-wp-system-sensor.php#L679

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/44f3b2e4-c537-4369-b2d6-39fbc6cb8e08?source=cve

Scores

CVSS v3 7.2

EPSS 0.6871

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

melapress/WP Activity Log < 5.2.1

melapress/wp_activity_log < 5.2.2

Published Nov 15, 2024

Tracked Since Feb 18, 2026