CVE-2025-0924

HIGH

WP Activity Log <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Message Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-0924. PoCs published by skrkcb2.

AI-analyzed exploit summary This repository contains a detailed analysis of a Stored XSS vulnerability in WP Activity Log plugin (version 5.2.2 and below), attributed to CVE-2025-0924. The writeup describes how malicious scripts can be injected via post titles and executed when logs are viewed, due to insufficient sanitization in the `AuditLog.php` file.

Description

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploits (1)

nomisec WRITEUP

by skrkcb2 · poc

https://github.com/skrkcb2/CVE-2025-0924-different

View Code ZIP pw:eip

This repository contains a detailed analysis of a Stored XSS vulnerability in WP Activity Log plugin (version 5.2.2 and below), attributed to CVE-2025-0924. The writeup describes how malicious scripts can be injected via post titles and executed when logs are viewed, due to insufficient sanitization in the `AuditLog.php` file.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: WP Activity Log plugin for WordPress (version 5.2.2 and below)

Auth required

Prerequisites: Access to WordPress admin panel · WP Activity Log plugin version 5.2.2 or below installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/wp-security-audit-log/trunk/classes/Controllers/class-alert-manager.php

Product

https://plugins.trac.wordpress.org/browser/wp-security-audit-log/trunk/classes/Controllers/class-alert.php

Patch

https://plugins.trac.wordpress.org/changeset/3238760/

Release Notes

https://wordpress.org/plugins/wp-security-audit-log/#developers

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/91699d32-1768-4d87-a4f2-91969b3e3355?source=cve

Scores

CVSS v3 7.2

EPSS 0.0127

EPSS Percentile 66.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

melapress/WP Activity Log < 5.2.2

melapress/wp_activity_log < 5.3.0

Published Feb 17, 2025

Tracked Since Feb 18, 2026