CVE-2024-0852: coreActivity < 1.8.1 - Unauthenticated Stored XSS

6.1 CVSS

Description

The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin

Classification

CVE ID: CVE-2024-0852

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem Types

CWE-79 Cross-Site Scripting (XSS)

Affected Products

Vendor: Unknown

Product: coreActivity: Activity Logging for WordPress

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.14% (probability of being exploited)

EPSS Percentile: 34.71% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0852
https://wpscan.com/vulnerability/743c4d79-e1d5-4fb0-a17d-296df2c54e8a/

Timeline

2025-05-15 21:40:22 UTC
CVE

coreActivity < 1.8.1 - Unauthenticated Stored XSS