Unvalidated User Input Vulnerability in WP Activity Log by WordPress
CVE-2025-0767

6.3MEDIUM

Key Information:

Vendor: WordPress
Status: WP Activity Log
Vendor: CVE Published:; 27 February 2025

What is CVE-2025-0767?

The WP Activity Log plugin version 5.3.2 is susceptible to a security flaw due to unvalidated user input being improperly managed within the unserialize function located in myapp/classes/Writers/class-csv-writer.php. This vulnerability could allow an attacker to exploit the application, leading to potential data manipulation or compromise. Regular updates and security audits are advisable to mitigate risks associated with such vulnerabilities.

Affected Version(s)

WP Activity Log 5.3.2

References

https://fluidattacks.com/advisories/skims-9/

third-party-advisory

https://co.wordpress.org/plugins/wp-security-audit-log/

product

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Jan 28, 2025