PatchSiren cyber security CVE debrief
CVE-2026-45435 Melapress CVE debrief
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the WP Activity Log plugin for WordPress, affecting versions up to and including 5.6.3. The vulnerability stems from improper neutralization of input during web page generation, allowing an attacker with low privileges to inject malicious scripts that execute in a victim's browser. The CVSS 3.1 score of 6.5 (Medium) reflects network attack vector, low attack complexity, low privileges required, user interaction required, and changed scope with low impacts to confidentiality, integrity, and availability. The vulnerability was published to the CVE database on May 25, 2026, with a subsequent modification on May 26, 2026. The vendor is identified as Melapress based on reference domain analysis, though this attribution carries low confidence and requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Melapress
- Product
- WP Activity Log
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using WP Activity Log plugin versions 5.6.3 or earlier; security teams managing WordPress security audit logging infrastructure; developers integrating with WP Activity Log APIs or audit data streams
Technical summary
DOM-based XSS vulnerability in WP Activity Log WordPress plugin (≤5.6.3) allows authenticated attackers with low privileges to execute arbitrary JavaScript in victim browsers through improper input sanitization during dynamic page generation.
Defensive priority
medium
Recommended defensive actions
- Update WP Activity Log plugin to a version newer than 5.6.3 as soon as a patched release becomes available
- Review WordPress user roles and permissions to enforce principle of least privilege, limiting accounts with access to plugin administrative functions
- Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities in WordPress environments
- Enable automatic security updates for WordPress plugins where operational constraints permit
- Monitor WP Activity Log changelog and Melapress security advisories for confirmation of fixed version
- Conduct security review of custom integrations or extensions that interact with WP Activity Log audit data
- Consider Web Application Firewall (WAF) rules to detect and block common XSS payload patterns as temporary defense in depth
Evidence notes
CWE-79 (Improper Neutralization of Input During Web Page Generation) is the primary weakness classification. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L indicates a Medium severity vulnerability requiring user interaction and low privileges. The affected product is WP Activity Log, a WordPress security audit logging plugin.
Official resources
-
CVE-2026-45435 CVE record
CVE.org
-
CVE-2026-45435 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The vulnerability was disclosed through Patchstack's vulnerability database and subsequently indexed by NVD. The CVE record was published on May 25, 2026, with metadata updates on May 26, 2026.