CVE-2024-10793: 
WordPress vulnerability analysis and mitigation

The WP Activity Log plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-10793) in versions up to and including 5.2.1. The vulnerability exists in the user_id parameter due to insufficient input sanitization and output escaping. This security issue was discovered and reported on November 15, 2024 (NVD, WPScan).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when administrative users access affected pages. The CVSS v3.1 base score is 6.1 (Medium) according to NVD's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Wordfence has assigned a slightly higher CVSS score of 7.2 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

When exploited, this vulnerability allows attackers to inject malicious web scripts that execute in the context of administrative users' browsers when they access the injected pages. This can lead to potential compromise of administrative sessions and unauthorized actions performed under the administrator's privileges (WPScan).

The vulnerability has been patched in version 5.2.2 of the WP Activity Log plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).