Unauthorized Execution of Arbitrary Web Scripts via User_id Parameter
CVE-2024-10793

7.2HIGH

Key Information:

Vendor: WordPress
Status: WP Activity Log
Vendor: CVE Published:; 15 November 2024

Badges

👾 Exploit Exists🟣 EPSS 68%

What is CVE-2024-10793?

The WP Activity Log plugin for WordPress has a security flaw that enables unauthenticated attackers to exploit the user_id parameter due to inadequate input sanitization and output escaping. When administrative users access compromised pages, arbitrary scripts can execute, posing a severe risk to website integrity. This vulnerability affects all versions up to and including 5.2.1, underscoring the need for immediate remediation to protect against potential attacks.

Affected Version(s)

WP Activity Log 0 <= 5.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-security-au...

EPSS Score

68% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 18, 2024
👾
Exploit known to exist
Nov 18, 2024
Vulnerability published
Nov 15, 2024
Vulnerability Reserved
Nov 4, 2024

Credit

Michael Mazzolini

CVE-2024-10793 Data

JSON