CVE-2025-13471

CWE-639Insecure Direct Object Reference4 documents4 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 94.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Unknown User Activity LOG
Timeline
PublishedJan 28

Description

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update2026-01-28
GHSA
GHSA-w3rg-9jrv-74mc: The User Activity Log WordPress plugin through 22026-01-28

🕵️Threat Intelligence

1
Wiz
CVE-2025-13471 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-13471 (MEDIUM CVSS 5.3) | The User Activity Log WordPress plu | cvebase.io