CVE-2025-13471
Description
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The User Activity Log WordPress plugin through 2.2 allows unauthenticated attackers to set arbitrary options to 1 via improper handling of failed login attempts.
The User Activity Log WordPress plugin through version 2.2 contains a vulnerability in its handling of failed login attempts. The plugin does not properly validate or restrict the actions taken upon a failed login, enabling an unauthenticated attacker to set arbitrary WordPress options to the value 1 [1].
An attacker can exploit this by sending crafted requests that mimic failed login attempts, bypassing the intended access controls. No authentication is required, and the attack can be launched remotely over the network [1].
Successful exploitation allows the attacker to enable settings that were previously disabled. For example, an attacker could turn on user registration when it had been turned off, potentially leading to unauthorized account creation and further compromise [1].
As of the publication date, no fix is available. The vendor has not released a patched version, and the plugin remains vulnerable. Administrators are advised to disable the plugin until a security update is issued [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.2
- Range: <=2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.