CVE-2025-13471 | THREATINT

Description

The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)

PUBLISHED Reserved 2025-11-20 | Published 2026-01-28 | Updated 2026-01-28 | Assigner WPScan

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

affected

Any version

affected

Credits

Alex Tselevich (nos3curity) finder

WPScan coordinator

References

wpscan.com/...rability/cc8743f5-b1b9-4f88-b440-db044034bbfc/ exploit vdb-entry technical-description

cve.org (CVE-2025-13471)

nvd.nist.gov (CVE-2025-13471)

Download JSON