VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Jan 06, 2026

User Activity Log Vulnerabilities

Review known vulnerability records for the WordPress plugin User Activity Log (`user-activity-log`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-11877, CVE-2024-31356 and CVE-2023-4279, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
6
Patch Coverage
100%
Last Updated
Feb 03, 2026
Priority CVE Quick Links

Fast paths into User Activity Log CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
7
CVE-2024-31356 Critical 2.0
CVE-2024-31356 User Activity Log SQL Injection

User Activity Log <= 1.9 - Authenticated (Administrator+) SQL Injection

CVE-2025-11877 High No patch listed
CVE-2025-11877 User Activity Log Vulnerability

User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login

CVE-2023-4269 High 1.6.6
CVE-2023-4269 User Activity Log Sensitive Information Exposure

User Activity Log <= 1.6.5 - Unauthenticated Data Export to Sensitive Information Disclosure

CVE-2023-3435 High 1.6.5
CVE-2023-3435 User Activity Log SQL Injection

User Activity Log <= 1.6.4 - Unauthenticated SQL Injection

CVE-2023-37966 High 1.6.3
CVE-2023-37966 User Activity Log SQL Injection

User Activity Log <= 1.6.2 - Authenticated (Administrator+) SQL Injection

CVE-2023-2761 Medium 1.6.3
CVE-2023-2761 User Activity Log SQL Injection

User Activity Log <= 1.6.2 - Authenticated(Administrator+) SQL Injection via txtsearch

CVE-2023-4279 Medium 1.6.7
CVE-2023-4279 User Activity Log Vulnerability

User Activity Log <= 1.6.6 - IP Address Spoofing

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for User Activity Log so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
10 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
1 critical and 5 high severity findings.
Recent CVEs
CVE-2025-11877, CVE-2024-31356 and CVE-2023-4279
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for User Activity Log

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: No CVE-2025-11877
CVE-2025-11877: User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for...

Published
Jan 06, 2026
Patched Release
Not published
Affected Versions
Versions up to 2.2
Next Step
Open the full report for remediation notes and references.
Open CVE-2025-11877 Report Open CVE Reference
Plugin Critical Patched: Yes CVE-2024-31356
CVE-2024-31356: User Activity Log <= 1.9 - Authenticated (Administrator+) SQL Injection

The User Activity Log plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attac...

Published
Apr 07, 2024
Patched Release
2.0
Affected Versions
Versions up to 1.9
Next Step
Update to 2.0 or newer if supported.
Open CVE-2024-31356 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-4279
CVE-2023-4279: User Activity Log <= 1.6.6 - IP Address Spoofing

The User Activity Log plugin for WordPress is vulnerable to IP Address Spoofing in versions up to and including 1.6.6. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging. Attackers can supplied the X-Forwarded-For h...

Published
Aug 14, 2023
Patched Release
1.6.7
Affected Versions
Versions up to 1.6.6
Next Step
Update to 1.6.7 or newer if supported.
Open CVE-2023-4279 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-4269
CVE-2023-4269: User Activity Log <= 1.6.5 - Unauthenticated Data Export to Sensitive Information Disclosure

The User Activity Log plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.6.4 via the ual_export_log() function that is missing a capability check. This can allow unauthenticated attackers to extract sensitive data including us...

Published
Aug 08, 2023
Patched Release
1.6.6
Affected Versions
Versions up to 1.6.5
Next Step
Update to 1.6.6 or newer if supported.
Open CVE-2023-4269 Report Open CVE Reference
Plugin High Patched: Yes CVE-2023-3435
CVE-2023-3435: User Activity Log <= 1.6.4 - Unauthenticated SQL Injection

The User Activity Log plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.6.4 via the ual_export_log() and ual_export_user_log() function that is missing preparation on existing queries as well as escaping on the user input passed to them. This...

Published
Jul 24, 2023
Patched Release
1.6.5
Affected Versions
Versions up to 1.6.4
Next Step
Update to 1.6.5 or newer if supported.
Open CVE-2023-3435 Report Open CVE Reference
Plugin High Patched: Yes
User Activity Log <= 1.6.2 - Unauthenticated SQL Injection via username

The User Activity Log plugin for WordPress is vulnerable to generic SQL Injection via the username value when logging in in versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

Published
Jul 14, 2023
Patched Release
1.6.3
Affected Versions
Versions up to 1.6.2
Next Step
Update to 1.6.3 or newer if supported.
Open Full Report
Plugin High Patched: Yes CVE-2023-37966
CVE-2023-37966: User Activity Log <= 1.6.2 - Authenticated (Administrator+) SQL Injection

The User Activity Log plugin for WordPress is vulnerable to SQL Injection via several parameters like 'userrole', 'userip', 'username', and 'type' in versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

Published
Jul 12, 2023
Patched Release
1.6.3
Affected Versions
Versions up to 1.6.2
Next Step
Update to 1.6.3 or newer if supported.
Open CVE-2023-37966 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-2761
CVE-2023-2761: User Activity Log <= 1.6.2 - Authenticated(Administrator+) SQL Injection via txtsearch

The User Activity Log plugin for WordPress is vulnerable to generic SQL Injection via the ‘txtsearch’ parameter in versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This m...

Published
May 25, 2023
Patched Release
1.6.3
Affected Versions
Versions up to 1.6.2
Next Step
Update to 1.6.3 or newer if supported.
Open CVE-2023-2761 Report Open CVE Reference
Plugin Medium Patched: Yes
User Activity Log <= 1.4.6 - Reflected Cross-Site Scripting

The User Activity Log plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘txtsearch’ parameter in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inj...

Published
Aug 30, 2021
Patched Release
1.4.7
Affected Versions
Versions up to 1.4.6
Next Step
Update to 1.4.7 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
User Activity Log <= 1.4.6 - Reflected Cross Site Scripting

The User Activity Log plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "$_SERVER['QUERY_STRING']" in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...

Published
Aug 30, 2021
Patched Release
1.4.7
Affected Versions
Versions up to 1.4.6
Next Step
Update to 1.4.7 or newer if supported.
Open Full Report