XSS in Dev4press Coreactivity
CVE-2024-0852
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.006 (43.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Dev4press Coreactivity
- Unknown Coreactivity: Activity Logging For Wordpress — versions 0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- contact@wpscan.com (Exploit, technical-description, Third Party Advisory, exploit, vdb-entry)
Frequently asked questions
- What is CVE-2024-0852?
- CVE-2024-0852 is a high-severity vulnerability in Dev4press Coreactivity, classified under Cross-site Scripting. CVSS score: 8.8/10. Published 2025-05-15.
- How severe is CVE-2024-0852?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2024-0852 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.