CVE-2024-0852: 
WordPress vulnerability analysis and mitigation

The coreActivity: Activity Logging for WordPress plugin before version 1.8.1 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed in January 2024, affecting WordPress installations using the vulnerable plugin versions. This security issue allows unauthenticated users to perform Stored XSS attacks targeting high-privilege users such as administrators (WPScan).

The vulnerability exists due to insufficient input sanitization and output escaping of request data in the admin dashboard. The CVSS score for this vulnerability is 8.8 (High), and it is classified as CWE-79: Cross-Site Scripting, falling under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The vulnerability can be exploited by sending malicious requests that will be stored and later executed when administrators access the logs dashboard (WPScan).

When successfully exploited, this vulnerability allows unauthenticated attackers to inject malicious web scripts that execute in the context of authenticated administrators viewing the logs dashboard. This could potentially lead to unauthorized actions being performed with administrator privileges (WPScan).

The vulnerability has been patched in version 1.8.1 of the coreActivity plugin. Site administrators should update to this version or later to protect against this security issue (WPScan).