CVE-2025-13471

MEDIUM 5.3

User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

5th

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

Vendor	unknown
Product	user activity log
Published	Jan 28, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown user activity log

Be the first to know when new medium vulnerabilities affecting unknown user activity log are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / User Activity Log

0 ≤ 2.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/cc8743f5-b1b9-4f88-b440-db044034bbfc/

Credits

Alex Tselevich (nos3curity) WPScan