CVE-2025-11877 — Missing Authorization in User Activity LOG

CWE-862 — Missing Authorization4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 90.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Solwininfotech User Activity LOG

Timeline

PublishedJan 7

Description

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. CVE-2025-13471 appears to be a dup…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5solwininfotech/user_activity_log2.2

🔴Vulnerability Details

CVEList

User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login↗2026-01-07

▶

GHSA

GHSA-69mj-pc6r-5cgv: The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2↗2026-01-07

▶

🕵️Threat Intelligence

Wiz

CVE-2025-11877 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶