Home

Description

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access.

PUBLISHED Reserved 2025-10-16 | Published 2026-01-07 | Updated 2026-01-07 | Assigner Wordfence




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-01-06:Disclosed

Credits

Angus Girvan finder

References

www.wordfence.com/...-cec2-4270-88f0-8696ebfb7168?source=cve

plugins.trac.wordpress.org/...y-log/trunk/user-functions.php

cve.org (CVE-2025-11877)

nvd.nist.gov (CVE-2025-11877)

Download JSON