CVE-2025-0767: 
WordPress vulnerability analysis and mitigation

WP Activity Log version 5.3.2 was discovered to contain an insecure deserialization vulnerability, identified as CVE-2025-0767. The vulnerability was discovered on January 3, 2025, and publicly disclosed on February 28, 2025. The security flaw affects the plugin's CSV writer functionality, specifically in the myapp/classes/Writers/class-csv-writer.php file (Fluid Attacks, CVE Mitre).

The vulnerability stems from unvalidated user input being directly used in an unserialize function within the CSV writer component. The issue was discovered in the writecsvajax() function where user input from $_POST['query'] is processed without proper validation. The vulnerability has been assigned a CVSSv4 vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N, indicating a relatively low severity but still requiring attention (Fluid Attacks).

The insecure deserialization vulnerability could potentially lead to limited integrity and availability impacts on the affected systems. The CVSS scoring indicates that while there is no confidentiality impact, there are low-level impacts on integrity and availability (Fluid Attacks).

The vulnerability has been patched in WP Activity Log version 5.3.3, released on March 4, 2025. Users are strongly advised to update to this latest version which includes the security fix for the insecure deserialization issue (WordPress Plugin).