CVE-2025-13471: WordPress User Activity Log Plugin Vulnerability

CVE-2025-13471 Overview

CVE-2025-13471 is an Authorization Bypass vulnerability affecting the User Activity Log WordPress plugin through version 2.2. The plugin does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1. This flaw can be exploited to enable critical WordPress settings such as User Registration when it has been intentionally disabled by administrators.

Critical Impact

Unauthenticated attackers can manipulate WordPress site options, potentially enabling user registration and other security-sensitive settings without authorization.

Affected Products

• User Activity Log WordPress plugin through version 2.2

Discovery Timeline

• 2026-01-28 - CVE CVE-2025-13471 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2025-13471

Vulnerability Analysis

This Authorization Bypass vulnerability exists in the User Activity Log plugin's failed login attempt handling mechanism. The plugin, designed to track user activity including authentication events, contains a flaw in how it processes failed login attempts. Under certain conditions, this improper handling allows unauthenticated remote attackers to set arbitrary WordPress options to a value of 1.

The most significant exploitation scenario involves enabling the users_can_register option, which controls whether visitors can register new accounts on the WordPress site. Many administrators intentionally disable this feature for security purposes, but this vulnerability allows attackers to bypass that administrative decision entirely.

Root Cause

The root cause lies in the plugin's improper validation and handling of failed login attempt data. When processing login failures, the plugin fails to adequately verify the authentication status of the request or properly sanitize input parameters. This oversight creates a condition where option modification functions can be triggered by unauthenticated users, bypassing the intended administrative access controls.

Attack Vector

The vulnerability is exploitable over the network without requiring authentication. An attacker can send specially crafted requests to the WordPress site that trigger the vulnerable code path during failed login attempt processing. The attack requires no user interaction and can be performed with low complexity.

The exploitation flow involves:

1. Identifying a WordPress site running the vulnerable User Activity Log plugin
2. Crafting requests that trigger the failed login handling mechanism
3. Manipulating parameters to set arbitrary options to 1
4. Enabling user registration or other options to facilitate further compromise

The attacker can then leverage enabled user registration to create accounts, potentially escalating privileges or conducting further attacks against the WordPress installation.

Detection Methods for CVE-2025-13471

Indicators of Compromise

• Unexpected changes to WordPress options, particularly users_can_register being enabled
• Unusual failed login patterns in server logs associated with option modification
• New user registrations appearing when registration was administratively disabled
• Activity logs showing option changes without corresponding administrator sessions

Detection Strategies

• Monitor WordPress options table for unauthorized modifications to critical settings
• Review web server access logs for suspicious requests targeting the User Activity Log plugin endpoints
• Implement file integrity monitoring to detect unexpected changes to wp_options database entries
• Deploy web application firewall (WAF) rules to detect anomalous parameter patterns in authentication requests

Monitoring Recommendations

• Enable detailed logging for WordPress option changes and correlate with authenticated sessions
• Set up alerts for the users_can_register option being modified outside of administrative workflows
• Monitor for new user account creations, especially when registration should be disabled
• Review plugin-specific log files for anomalous failed login attempt patterns

How to Mitigate CVE-2025-13471

Immediate Actions Required

• Deactivate the User Activity Log plugin until a patched version is available
• Verify that the users_can_register WordPress option is set to the intended value
• Review existing user accounts for any unauthorized registrations
• Audit WordPress options for unexpected modifications

Patch Information

No official patch information is available at this time. Organizations should monitor the WPScan Vulnerability Report for updates on remediation and patched versions. Consider replacing the plugin with an alternative user activity logging solution until a fix is released.

Workarounds

• Disable the User Activity Log plugin until a security update is available
• Implement WAF rules to block suspicious requests to plugin endpoints
• Add database-level triggers or monitoring to alert on unauthorized option changes
• Consider using WordPress security plugins to enforce option values and prevent unauthorized modifications

Administrators can verify and reset critical options using WP-CLI:

# Check current user registration setting
wp option get users_can_register

# Disable user registration if it was improperly enabled
wp option update users_can_register 0

# List recent option changes (if audit logging is available)
wp db query "SELECT * FROM wp_options WHERE option_name = 'users_can_register'"