CVE-2025-11877: User Activity Log Auth Bypass Vulnerability

CVE-2025-11877 Overview

The User Activity Log plugin for WordPress is vulnerable to a limited options update vulnerability in versions up to, and including, 2.2. The failed-login handler ual_shook_wp_login_failed lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like wp_user_roles, breaking wp-admin access.

Critical Impact

Unauthenticated attackers can manipulate WordPress site options without any authorization, potentially enabling user registration or corrupting critical site settings that break administrator access.

Affected Products

• User Activity Log plugin for WordPress versions up to and including 2.2

Discovery Timeline

• January 7, 2026 - CVE-2025-11877 published to NVD
• January 8, 2026 - Last updated in NVD database

Technical Details for CVE-2025-11877

Vulnerability Analysis

This vulnerability falls under CWE-862 (Missing Authorization), a broken access control flaw where a critical function fails to verify that the requesting user has the appropriate permissions. The ual_shook_wp_login_failed function in the User Activity Log plugin processes failed login attempts but does not implement any capability or authorization checks before modifying WordPress options.

When a failed login occurs, the plugin logs the username that was attempted. However, the implementation directly passes the failed username to update_option() calls without sanitization or authorization verification. An attacker can exploit this by crafting specific usernames during failed login attempts that correspond to WordPress option names, effectively manipulating site configuration.

The network-accessible nature of this vulnerability combined with the lack of authentication requirements makes it particularly dangerous for internet-facing WordPress installations. The integrity impact is significant because attackers can modify WordPress options that control critical site behavior.

Root Cause

The root cause is a missing authorization check (CWE-862) in the ual_shook_wp_login_failed function within the user-functions.php file. The function hooks into WordPress's login failure process but fails to validate whether the action should be permitted before writing to the options table. This allows any unauthenticated user to influence update_option() operations by simply attempting to log in with specially crafted usernames.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying a WordPress site running the vulnerable User Activity Log plugin
2. Attempting to log in with a specially crafted username that corresponds to a WordPress option name
3. The plugin's failed login handler processes the username and writes it to the options table
4. Depending on the targeted option, the attacker can enable user registration, corrupt the wp_user_roles option to break admin access, or manipulate other site settings

The vulnerability can be triggered through standard WordPress login endpoints, making detection without proper monitoring challenging. For detailed technical implementation, see the WordPress plugin source code.

Detection Methods for CVE-2025-11877

Indicators of Compromise

• Unusual entries in the wp_options table with unexpected or malformed values
• Failed login attempts with usernames matching WordPress option names (e.g., users_can_register, wp_user_roles)
• Sudden changes to site registration settings without administrator action
• Administrators locked out of wp-admin without explanation

Detection Strategies

• Monitor WordPress authentication logs for failed login attempts with suspicious usernames that match known option names
• Implement integrity monitoring on the wp_options database table to detect unauthorized modifications
• Deploy web application firewall (WAF) rules to detect login attempts with option-like username patterns
• Use SentinelOne's Singularity XDR to correlate authentication anomalies with database modification events

Monitoring Recommendations

• Enable detailed logging of all failed login attempts including the attempted username
• Set up alerts for changes to critical WordPress options such as users_can_register and wp_user_roles
• Monitor for new user registrations if registration was previously disabled
• Review access logs for repeated failed login attempts from single IP addresses with varying usernames

How to Mitigate CVE-2025-11877

Immediate Actions Required

• Update the User Activity Log plugin to a version newer than 2.2 that includes the security fix
• Audit the wp_options table for any unauthorized or suspicious modifications
• Verify that users_can_register option is set to your intended value
• Check that wp_user_roles option has not been corrupted and administrator access is intact
• Consider temporarily deactivating the plugin until a patch is applied

Patch Information

Plugin users should update to the latest version of User Activity Log that addresses this vulnerability. The fix should implement proper capability checks in the ual_shook_wp_login_failed function before any update_option() calls are made. Check the Wordfence Vulnerability Report for the latest patch status and remediation guidance.

Workarounds

• Disable the User Activity Log plugin until an official patch is available
• Implement a custom WordPress filter to add authorization checks to the wp_login_failed hook
• Use a web application firewall to block login attempts with suspicious username patterns
• Restrict access to wp-login.php using IP allowlisting if practical for your environment

# Verify current registration settings in WordPress database
wp option get users_can_register

# Check wp_user_roles option integrity
wp option get wp_user_roles

# Disable plugin via WP-CLI if needed
wp plugin deactivate user-activity-log