WP-Safety

Activity Log – Monitor & Record User Changes Security & Risk Analysis

wordpress.org/plugins/aryo-activity-log

This top rated Activity Log plugin helps you monitor & log all changes and actions on your WordPress site, so you can remain secure and organized.

200K active installs v2.11.2 PHP 7.0+ WP 6.0+ Updated Nov 12, 2024
activity-logaudit-logemail-logsecurityuser-log
85
A · Safe
CVEs total9
Unpatched0
Last CVENov 20, 2024
Plugin page Download
Safety Verdict

Is Activity Log – Monitor & Record User Changes Safe to Use in 2026?

Generally Safe

Score 85/100

Activity Log – Monitor & Record User Changes has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Nov 20, 2024Updated 1yr ago
Risk Assessment

The "aryo-activity-log" plugin v2.11.2 presents a mixed security posture. On the positive side, static analysis reveals a generally good implementation of security best practices. All identified AJAX entry points include authorization checks, and a significant majority of SQL queries utilize prepared statements, with a high percentage of outputs being properly escaped. The absence of critical or high severity taint flows, along with the lack of unpatched CVEs at this time, are also encouraging indicators. Nonce and capability checks are present across several entry points, further contributing to a robust defense against common web attacks.

However, the plugin's vulnerability history is a significant area of concern. With a total of 9 known CVEs, including 4 high and 5 medium severity vulnerabilities, the plugin has demonstrated a recurring pattern of security weaknesses. These past issues span critical areas such as SQL injection, cross-site scripting, and exposure of sensitive information, indicating a potential for undiscovered vulnerabilities or a history of inadequate security patching. While there are currently no unpatched vulnerabilities, the past trend suggests a need for continued vigilance and potentially more rigorous security testing by the developers. The single file operation and external HTTP request, while not flagged as dangerous, represent potential vectors that warrant careful monitoring.

In conclusion, the "aryo-activity-log" plugin exhibits strengths in its current code implementation regarding basic security measures like authentication and output escaping. Nevertheless, its historical vulnerability record casts a shadow on its overall security. The past prevalence of high and medium severity flaws, particularly in areas like SQL injection and XSS, should not be overlooked. Users should be aware that despite the absence of current unpatched issues, the plugin's history suggests a latent risk that could resurface with future updates or undiscovered vulnerabilities.

Key Concerns

  • High number of past high and medium severity CVEs
  • Past vulnerabilities include SQL Injection and XSS
  • One file operation detected
  • 67% of SQL queries use prepared statements
  • 89% of outputs properly escaped
Vulnerabilities
9

Activity Log – Monitor & Record User Changes Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
3 CVEs in 2016
2016
1 CVE in 2018
2018
1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
4
Medium
5

9 total CVEs

CVE-2024-10788high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Activity Log – Monitor & Record User Changes <= 2.11.1 - Unauthenticated Stored Cross-Site Scripting via Event Context

Nov 20, 2024 Patched in 2.11.2 (1d)
CVE-2023-4281medium · 5.3Use of Less Trusted Source

Activity Log <= 2.8.7 - IP Address Spoofing

Sep 1, 2023 Patched in 2.8.8 (144d)
CVE-2022-27858high · 8.3Improper Neutralization of Formula Elements in a CSV File

Activity Log <= 2.8.3 - CSV Injection

Sep 26, 2022 Patched in 2.8.4 (484d)
WF-7a94229a-6316-48e7-bcaa-23cb2cc047b4-aryo-activity-loghigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Activity Log 2.3.5 - 2.6.1 - SQL Injection

May 3, 2021 Patched in 2.7.0 (995d)
CVE-2018-8729medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Activity Log <= 2.4.0 - Multiple Cross-Site Scripting

Mar 8, 2018 Patched in 2.4.1 (2147d)
CVE-2016-10890medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Activity Log <= 2.3.2 - Reflected Cross-Site Scripting

Aug 3, 2016 Patched in 2.3.3 (2729d)
CVE-2016-10891medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Activity Log < 2.3.3 - Cross-Site Scripting

Aug 3, 2016 Patched in 2.3.3 (2729d)
WF-633a9cbf-451d-4fd1-822b-ef8966ff9a1a-aryo-activity-logmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Activity Log <= 2.3.2 - Reflected Cross-Site Scripting

Jul 29, 2016 Patched in 2.3.3 (2734d)
WF-97677968-9231-4a6b-ad81-ddb9eb9791dd-aryo-activity-loghigh · 7.5Exposure of Sensitive Information to an Unauthorized Actor

Activity Log Plugin < 2.0.4 - Fulle Path Disclosure

Feb 27, 2014 Patched in 2.0.4 (3617d)
Code Analysis
Analyzed Mar 16, 2026

Activity Log – Monitor & Record User Changes Code Analysis

Dangerous Functions
0
Raw SQL Queries
8
16 prepared
Unescaped Output
15
123 escaped
Nonce Checks
4
Capability Checks
7
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

67% prepared24 total queries

Output Escaping

89% escaped138 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
prepare_items (classes\class-aal-activity-log-list-table.php:698)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Activity Log – Monitor & Record User Changes Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_aal_promotion_dismissclasses\class-aal-admin-ui.php:181
authwp_ajax_aal_promotion_campaignclasses\class-aal-admin-ui.php:182
authwp_ajax_aal_reset_itemsclasses\class-aal-settings.php:17
authwp_ajax_aal_get_propertiesclasses\class-aal-settings.php:18
WordPress Hooks 72
actionplugins_loadedaryo-activity-log.php:109
filterset-screen-optionclasses\class-aal-activity-log-list-table.php:165
actionadmin_menuclasses\class-aal-admin-ui.php:178
actionadmin_headclasses\class-aal-admin-ui.php:179
actionadmin_initclasses\class-aal-api.php:9
actionaal/maintenance/clear_old_itemsclasses\class-aal-api.php:10
actionaal_admin_page_loadclasses\class-aal-export.php:11
actionaal_admin_page_loadclasses\class-aal-export.php:12
filteraal_record_actionsclasses\class-aal-export.php:14
filteredit_aal_logs_per_pageclasses\class-aal-export.php:52
filteraal_whitelist_optionsclasses\class-aal-integration-woocommerce.php:13
filterwoocommerce_get_settings_pagesclasses\class-aal-integration-woocommerce.php:14
actioninitclasses\class-aal-integration-woocommerce.php:53
actionwpmu_new_blogclasses\class-aal-maintenance.php:108
actiondelete_blogclasses\class-aal-maintenance.php:110
actioninitclasses\class-aal-notifications.php:19
actionaal_load_notification_handlersclasses\class-aal-notifications.php:20
actionaal_insert_logclasses\class-aal-notifications.php:21
filterwp_privacy_personal_data_exportersclasses\class-aal-privacy.php:13
actionadmin_initclasses\class-aal-privacy.php:14
actioninitclasses\class-aal-settings.php:10
actionadmin_menuclasses\class-aal-settings.php:11
actionadmin_initclasses\class-aal-settings.php:12
actionadmin_noticesclasses\class-aal-settings.php:13
actionadmin_footerclasses\class-aal-settings.php:14
actionadd_attachmenthooks\class-aal-hook-attachments.php:31
actionedit_attachmenthooks\class-aal-hook-attachments.php:32
actiondelete_attachmenthooks\class-aal-hook-attachments.php:33
actionwp_insert_commenthooks\class-aal-hook-comments.php:62
actionedit_commenthooks\class-aal-hook-comments.php:63
actiontrash_commenthooks\class-aal-hook-comments.php:64
actionuntrash_commenthooks\class-aal-hook-comments.php:65
actionspam_commenthooks\class-aal-hook-comments.php:66
actionunspam_commenthooks\class-aal-hook-comments.php:67
actiondelete_commenthooks\class-aal-hook-comments.php:68
actiontransition_comment_statushooks\class-aal-hook-comments.php:69
action_core_updated_successfullyhooks\class-aal-hook-core.php:43
actionupdate_site_option_auto_update_core_majorhooks\class-aal-hook-core.php:44
actionwp_mail_succeededhooks\class-aal-hook-emails.php:128
actionwp_mail_failedhooks\class-aal-hook-emails.php:130
actionexport_wphooks\class-aal-hook-export.php:18
actionwp_update_nav_menuhooks\class-aal-hook-menus.php:31
actionwp_create_nav_menuhooks\class-aal-hook-menus.php:32
actiondelete_nav_menuhooks\class-aal-hook-menus.php:33
actionupdated_optionhooks\class-aal-hook-options.php:122
actionupdate_option_activity-log-settingshooks\class-aal-hook-options.php:123
actionactivated_pluginhooks\class-aal-hook-plugins.php:111
actiondeactivated_pluginhooks\class-aal-hook-plugins.php:112
actiondelete_pluginhooks\class-aal-hook-plugins.php:114
actionupgrader_process_completehooks\class-aal-hook-plugins.php:116
actionupdate_site_option_auto_update_pluginshooks\class-aal-hook-plugins.php:118
actiontransition_post_statushooks\class-aal-hook-posts.php:79
actiondelete_posthooks\class-aal-hook-posts.php:80
actioncreated_termhooks\class-aal-hook-taxonomies.php:37
actionedited_termhooks\class-aal-hook-taxonomies.php:38
actiondelete_termhooks\class-aal-hook-taxonomies.php:39
actionswitch_themehooks\class-aal-hook-themes.php:143
actiondelete_site_transient_update_themeshooks\class-aal-hook-themes.php:144
actionupgrader_process_completehooks\class-aal-hook-themes.php:145
actioncustomize_savehooks\class-aal-hook-themes.php:148
actionupdate_site_option_auto_update_themeshooks\class-aal-hook-themes.php:151
actionwp_loginhooks\class-aal-hook-users.php:85
actionclear_auth_cookiehooks\class-aal-hook-users.php:86
actiondelete_userhooks\class-aal-hook-users.php:87
actionuser_registerhooks\class-aal-hook-users.php:88
actionprofile_updatehooks\class-aal-hook-users.php:89
filterwp_login_failedhooks\class-aal-hook-users.php:90
filterwidget_update_callbackhooks\class-aal-hook-widgets.php:41
filtersidebar_admin_setuphooks\class-aal-hook-widgets.php:42
actioninitnotifications\abstract-class-aal-notification-base.php:22
actionaal_validate_optionsnotifications\abstract-class-aal-notification-base.php:23
filterwp_mail_content_typenotifications\class-aal-notification-email.php:45

Scheduled Events 1

aal/maintenance/clear_old_items
Maintenance & Trust

Activity Log – Monitor & Record User Changes Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 12, 2024
PHP min version7.0
Downloads4.0M

Community Trust

Rating86/100
Number of ratings74
Active installs200K
Alternatives

Activity Log – Monitor & Record User Changes Alternatives

WP Admin Audit

WP Admin Audit

wp-admin-audit

A
100

WP Admin Audit monitors the security-relevant activities on your site, keeps an event log and tells you when something out of the ordinary happens.

1K No CVEs
Logify WP – Activity Log & User Audit Log

Logify WP – Activity Log & User Audit Log

logify-wp

A
100

Logify WP - Activity Log & User Audit Log tracks critical changes, logins, and updates with searchable logs for site security.

200 No CVEs
LogDash Activity Log

LogDash Activity Log

logdash-activity-log

A
90

The ultimate solution for tracking activities and security issues on your WordPress site.

100 1 CVE
Aspexi Login Audit

Aspexi Login Audit

aspexi-login-audit

A
85

This plugin helps you to keep an audit trail of user login activities such as successful login, logout, failed login and more to ensure your site perf &hellip;

10 No CVEs
Logify – Event Logger, Activity Monitor, Activity Log & Audit Log

Logify – Event Logger, Activity Monitor, Activity Log & Audit Log

logify

A
100

Monitor, track, and review everything happening on your WordPress site. Logify helps you stay secure, stay compliant, and stay in control.

10 No CVEs
Developer Profile

Activity Log – Monitor & Record User Changes Developer Profile

Elementor

15 plugins · 13.2M total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
704 days
View full developer profile
Detection Fingerprints

How We Detect Activity Log – Monitor & Record User Changes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/aryo-activity-log/assets/js/settings.js/wp-content/plugins/aryo-activity-log/assets/css/settings.css
Script Paths
/wp-content/plugins/aryo-activity-log/assets/js/settings.js
Version Parameters
aryo-activity-log/assets/js/settings.js?ver=aryo-activity-log/assets/css/settings.css?ver=

HTML / DOM Fingerprints

CSS Classes
aal-activity-log-settings
Data Attributes
data-aal-actiondata-aal-titledata-aal-namedata-aal-descriptiondata-aal-class
JS Globals
aal_params
REST Endpoints
/wp-json/aal/v1/logs/wp-json/aal/v1/log/(?P<id>\d+)/wp-json/aal/v1/logs/(?P<id>\d+)
FAQ

Frequently Asked Questions about Activity Log – Monitor & Record User Changes