WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter

An unauthenticated attacker can inject arbitrary JavaScript by crafting a cron event whose `args` or `hook` property contains malicious script payloads. When the WP Activity Log plugin logs the cron event creation, execution, or deletion, the unsanitized payload is stored in the alert data. The payload executes in the browser of any administrative user who views the affected activity log page. No authentication is required because WordPress cron events can be triggered externally via `wp-cron.php` and the plugin logs them automatically [CWE-79].

The vulnerability resides in the WP Activity Log plugin's `wp-system-sensor.php` file, specifically in the `created_cron_job`, `removed_cron_job`, and `attach_cron_actions` methods where the `$cron->args` and `$cron->hook` values are passed directly into alert data arrays without sanitization or escaping. These unsanitized values are later rendered in the WordPress admin activity log pages, enabling stored XSS.

The patch does not appear in the provided bundle. Based on the advisory, the fix must involve adding proper input sanitization and output escaping to the cron-related alert data fields (`arguments`, `task_name`, etc.) before they are stored or rendered. Without escaping, any attacker-controlled value in a cron event's hook name or arguments becomes executable script content in the admin log viewer.