Cyber Resilience

CVE-2025-0924

High

Published: 17 February 2025

Published
17 February 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0845 92.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0924 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Melapress Wp Activity Log. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

The WP Activity Log plugin for WordPress, also distributed under the wp-security-audit-log slug, contains a stored cross-site scripting vulnerability in all versions through 5.2.2. The flaw resides in the handling of the message parameter and stems from insufficient input sanitization combined with inadequate output escaping, allowing malicious content to be persisted and later rendered in administrative or audit-log views.

Unauthenticated attackers can supply crafted input that is stored by the plugin and subsequently executed in the browser of any user who views the affected page. Successful exploitation yields the ability to perform actions on behalf of the victim within the WordPress context, with the CVSS vector reflecting network-accessible attack complexity that requires no authentication or user interaction.

Public references point to a patched release tracked in changeset 3238760 on the WordPress plugin repository, and site operators are advised to update to the current version listed on the plugin developers page. The Wordfence advisory further details the affected code paths in the Alert and Alert Manager controllers.

EPSS for the CVE rose from lower values to a peak of 0.1542 on 2025-12-18 before receding to the current 0.0845, indicating measurable post-disclosure exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…

more

to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1491 Defacement Impact
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables remote exploitation (T1190) and facilitates browser session hijacking/cookie theft (T1185/T1539) plus defacement (T1491).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0767Same product: Melapress Wp Activity Log
CVE-2018-25248Shared CWE-79
CVE-2025-68008Shared CWE-79
CVE-2025-0817Shared CWE-79
CVE-2024-55227Shared CWE-79
CVE-2026-2072Shared CWE-79
CVE-2026-23722Shared CWE-79
CVE-2026-32728Shared CWE-79
CVE-2025-25169Shared CWE-79
CVE-2025-68887Shared CWE-79

Affected Assets

melapress
wp activity log
≤ 5.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the 'message' parameter to block injection of arbitrary web scripts in the WP Activity Log plugin.

prevent

Mandates output escaping and filtering to prevent execution of injected scripts when users access affected pages.

prevent

Ensures timely remediation by updating the vulnerable WP Activity Log plugin to versions beyond 5.2.2 with applied sanitization fixes.

References