CVE-2026-45435

Vulnerability

The WP Activity Log plugin for WordPress versions from n/a through 5.6.3 contains a DOM-based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation. The vulnerability is triggered when a privileged user interacts with crafted input, such as a malicious link or form submission. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link, page, or form that, when interacted with by a privileged user (e.g., an administrator), injects and executes arbitrary JavaScript in the context of the victim's browser. The attack requires user interaction from a user with sufficient privileges to access the vulnerable functionality. [1]

Impact

Successful exploitation allows the attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when visitors access the affected site. This can lead to information disclosure, session hijacking, or defacement. [1]

Mitigation

The vulnerability is fixed in version 5.6.3.1 or later. Users should update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the patch is applied. [1]