Cyber Resilience

CVE-2025-11877

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0003 10.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11877 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-11877 is a vulnerability in the User Activity Log WordPress plugin, affecting versions up to and including 2.2. The issue arises in the failed-login handler function 'ual_shook_wp_login_failed', which lacks a capability check and directly incorporates failed usernames into update_option() calls. This flaw enables limited unauthorized updates to specific site options, classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Unauthenticated attackers can exploit this vulnerability remotely by submitting crafted failed login attempts using malicious usernames. Successful exploitation allows them to modify select WordPress site options, such as changing a value from 0 to a non-zero integer. This can reopen user registration on sites where it was disabled or corrupt critical options like 'wp_user_roles', potentially breaking access to the wp-admin dashboard.

Advisories and related resources, including the Wordfence threat intelligence report and the plugin's source code on WordPress Trac, provide further details on the vulnerability. CVE-2025-13471 is noted as a duplicate of this CVE.

EU & UK References

Vulnerability details

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for…

more

unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a duplicate of this CVE.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing WordPress plugin via missing authorization in the failed-login handler, enabling unauthorized option modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, directly addressing the missing capability check in the failed-login handler that allows unauthenticated option updates.

prevent

Validates and sanitizes untrusted inputs like failed login usernames before incorporating them into update_option() calls, preventing crafted values from modifying site options.

prevent

Enforces least privilege to ensure plugin handlers do not perform sensitive operations like option updates without required capabilities.

References