CVE-2025-11877
Published: 07 January 2026
Summary
CVE-2025-11877 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-11877 is a vulnerability in the User Activity Log WordPress plugin, affecting versions up to and including 2.2. The issue arises in the failed-login handler function 'ual_shook_wp_login_failed', which lacks a capability check and directly incorporates failed usernames into update_option() calls. This flaw enables limited unauthorized updates to specific site options, classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Unauthenticated attackers can exploit this vulnerability remotely by submitting crafted failed login attempts using malicious usernames. Successful exploitation allows them to modify select WordPress site options, such as changing a value from 0 to a non-zero integer. This can reopen user registration on sites where it was disabled or corrupt critical options like 'wp_user_roles', potentially breaking access to the wp-admin dashboard.
Advisories and related resources, including the Wordfence threat intelligence report and the plugin's source code on WordPress Trac, provide further details on the vulnerability. CVE-2025-13471 is noted as a duplicate of this CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1350
Vulnerability details
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for…
more
unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a duplicate of this CVE.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of a public-facing WordPress plugin via missing authorization in the failed-login handler, enabling unauthorized option modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly addressing the missing capability check in the failed-login handler that allows unauthenticated option updates.
Validates and sanitizes untrusted inputs like failed login usernames before incorporating them into update_option() calls, preventing crafted values from modifying site options.
Enforces least privilege to ensure plugin handlers do not perform sensitive operations like option updates without required capabilities.