CVE-2025-3436: 
WordPress vulnerability analysis and mitigation

The coreActivity: Activity Logging for WordPress plugin is vulnerable to SQL Injection in versions up to and including 2.7. The vulnerability was discovered and disclosed on April 8, 2025, and is tracked as CVE-2025-3436. The issue affects the plugin's handling of 'order' and 'orderby' parameters, making WordPress installations using this plugin potentially vulnerable (NVD CVE).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the Live.php file. Specifically, the 'order' and 'orderby' parameters lack proper sanitization, allowing authenticated attackers to manipulate existing SQL queries. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to existing queries. This capability can be leveraged to extract sensitive information from the WordPress database, potentially compromising the security and confidentiality of the website's data (NVD CVE).

A fix has been implemented in the plugin's codebase, as evidenced by the changeset 3259839, which includes improved sanitization of the Live Logs input arguments and enhanced security measures for various panel code decorations (WordPress Plugin).