CVE-2026-25331: WP Activity Log XSS Vulnerability

CVE-2026-25331 Overview

CVE-2026-25331 is a DOM-Based Cross-Site Scripting (XSS) vulnerability in the Melapress WP Activity Log plugin (wp-security-audit-log) for WordPress. The flaw stems from improper neutralization of input during web page generation [CWE-79]. It affects all plugin versions from unspecified initial releases through 5.5.4. An authenticated attacker with low privileges can inject malicious script payloads that execute in the browser of a victim user who interacts with a crafted link or page element. Successful exploitation can lead to session compromise, unauthorized actions performed in the victim's context, and theft of sensitive WordPress administrative data.

Critical Impact
Authenticated low-privilege attackers can trigger client-side script execution in administrative browsers, enabling session theft and account compromise within scope-changed contexts.

Affected Products

Melapress WP Activity Log plugin (wp-security-audit-log) versions up to and including 5.5.4
WordPress sites with the plugin installed and active
Administrative users interacting with crafted plugin interface elements

Discovery Timeline

2026-02-19 - CVE-2026-25331 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2026-25331

Vulnerability Analysis

The vulnerability is a DOM-Based Cross-Site Scripting issue classified under [CWE-79]. DOM-Based XSS occurs when client-side JavaScript writes attacker-controllable data into the Document Object Model without proper sanitization or output encoding. In the case of WP Activity Log, plugin-supplied JavaScript processes input values and renders them into the page without neutralizing HTML or script content. The scope-changed CVSS vector indicates that exploitation can affect components beyond the vulnerable plugin itself, including the broader WordPress administrative session. The attack requires user interaction, meaning a victim must click a link or load a crafted view for the payload to execute.

Root Cause

The root cause is missing client-side sanitization in the plugin's JavaScript code paths that render user-controllable data into the DOM. Values are inserted using unsafe sinks such as innerHTML or equivalent operations rather than safe assignments like textContent. Because the plugin runs in the WordPress administrative interface, any injected script executes with the privileges of the authenticated viewer.

Attack Vector

An attacker with low-privilege authenticated access crafts a payload that reaches a DOM sink within the WP Activity Log plugin interface. The payload is delivered through a URL, log entry, or other plugin-rendered field. When an administrative user views the affected page, the malicious script executes in their browser. The attacker can then perform actions on behalf of the administrator, exfiltrate cookies, or pivot to additional WordPress components. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-25331

Indicators of Compromise

Unexpected <script> tags, javascript: URIs, or HTML event handler attributes stored in WP Activity Log records or plugin settings
WordPress administrative sessions making outbound requests to unfamiliar domains shortly after viewing plugin pages
New or modified WordPress administrator accounts created without authorized workflow
Browser console errors or Content Security Policy violations originating from plugin admin pages

Detection Strategies

Audit WP Activity Log database tables for stored values containing HTML or JavaScript syntax that should not appear in legitimate activity entries
Inspect web server logs for requests to plugin endpoints carrying URL parameters with script payloads or encoded HTML
Monitor browser telemetry from administrative endpoints for anomalous script execution on /wp-admin/ paths referencing the plugin

Monitoring Recommendations

Enable Content Security Policy reporting for the WordPress admin interface to surface inline script execution attempts
Track plugin version inventory across WordPress deployments and flag any instance running version 5.5.4 or earlier
Correlate administrator login sessions with downstream privilege changes to identify session hijacking patterns

How to Mitigate CVE-2026-25331

Immediate Actions Required

Update the WP Activity Log plugin to a version released after 5.5.4 that contains the vendor fix
Review WordPress administrative accounts for unauthorized changes since the plugin was last updated
Force password resets and session invalidation for all administrative users if exploitation is suspected
Restrict access to the WordPress admin interface using IP allowlisting or VPN-gated access where feasible

Patch Information

The vendor Melapress has addressed the issue in a release subsequent to version 5.5.4. Consult the Patchstack Vulnerability Report for the fixed version reference and apply the update through the WordPress plugin management interface or via WP-CLI.

Workarounds

Deactivate the WP Activity Log plugin until the patched version can be installed
Deploy a web application firewall rule to block requests to plugin endpoints containing script-like payloads in parameters
Enforce a strict Content Security Policy on the WordPress admin interface to limit inline script execution

bash

# Update WP Activity Log plugin via WP-CLI
wp plugin update wp-security-audit-log

# Verify installed version is no longer 5.5.4 or earlier
wp plugin get wp-security-audit-log --field=version

# Temporary deactivation if patching is not immediately possible
wp plugin deactivate wp-security-audit-log