CVE-2025-0924
Published: 17 February 2025
Summary
CVE-2025-0924 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Melapress Wp Activity Log. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
The WP Activity Log plugin for WordPress, also distributed under the wp-security-audit-log slug, contains a stored cross-site scripting vulnerability in all versions through 5.2.2. The flaw resides in the handling of the message parameter and stems from insufficient input sanitization combined with inadequate output escaping, allowing malicious content to be persisted and later rendered in administrative or audit-log views.
Unauthenticated attackers can supply crafted input that is stored by the plugin and subsequently executed in the browser of any user who views the affected page. Successful exploitation yields the ability to perform actions on behalf of the victim within the WordPress context, with the CVSS vector reflecting network-accessible attack complexity that requires no authentication or user interaction.
Public references point to a patched release tracked in changeset 3238760 on the WordPress plugin repository, and site operators are advised to update to the current version listed on the plugin developers page. The Wordfence advisory further details the affected code paths in the Alert and Alert Manager controllers.
EPSS for the CVE rose from lower values to a peak of 0.1542 on 2025-12-18 before receding to the current 0.0845, indicating measurable post-disclosure exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1928
Vulnerability details
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…
more
to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote exploitation (T1190) and facilitates browser session hijacking/cookie theft (T1185/T1539) plus defacement (T1491).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the 'message' parameter to block injection of arbitrary web scripts in the WP Activity Log plugin.
Mandates output escaping and filtering to prevent execution of injected scripts when users access affected pages.
Ensures timely remediation by updating the vulnerable WP Activity Log plugin to versions beyond 5.2.2 with applied sanitization fixes.