WP-Safety

Activity Log for WordPress Security & Risk Analysis

wordpress.org/plugins/winterlock

Detailed WordPress Activity Log with user request tracking, instant logout, request restrictions, locking, blocking, alerts, and more.

60 active installs v1.2.9 PHP + WP 5.0+ Updated Feb 11, 2026
access-restrictionactivity-logevents-logrequests-logsystem-log
95
A · Safe
CVEs total4
Unpatched0
Last CVEMar 17, 2026
Plugin page Download
Safety Verdict

Is Activity Log for WordPress Safe to Use in 2026?

Generally Safe

Score 95/100

Activity Log for WordPress has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Mar 17, 2026Updated 3mo ago
Risk Assessment

The "winterlock" plugin version 1.2.9 presents a mixed security posture. While it has a considerable number of proper output escaping implementations and nonce checks, several concerning areas remain. The static analysis reveals an attack surface with two AJAX handlers, one of which lacks authentication checks, posing a direct risk. Furthermore, the presence of 34 instances of dangerous functions, particularly 'unserialize', suggests a potential for deserialization vulnerabilities if not handled with extreme care. The taint analysis highlights three high-severity flows with unsanitized paths, indicating potential for injection attacks. The vulnerability history shows three past medium-severity vulnerabilities, including missing authorization, CSRF, and XSS, which, despite being patched, indicate a pattern of past security weaknesses. The fact that the last vulnerability was in the future (2026-02-11) is an anomaly in the data and should be disregarded for accurate assessment of current risk. Overall, the plugin has some good security practices, but the unprotected AJAX handler, high-severity taint flows, and the history of past vulnerabilities warrant careful consideration and remediation.

Key Concerns

  • AJAX handler without auth checks
  • High severity unsanitized taint flows
  • Unescaped output percentage is low
  • SQL queries not fully prepared
  • Bundled Freemius v1.0 library
  • Bundled DataTables library
Vulnerabilities
4 published

Activity Log for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2026-24987medium · 4.3Missing Authorization

Activity Log for WordPress <= 1.2.7 - Missing Authorization

Mar 17, 2026 Patched in 1.2.8 (11d)
CVE-2026-1671medium · 6.5Missing Authorization

Activity Log for WordPress <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File

Feb 11, 2026 Patched in 1.2.9 (1d)
CVE-2025-24982medium · 4.3Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery <= 1.2.4 - Cross-Site Request Forgery

Feb 4, 2025 Patched in 1.2.5 (21d)
CVE-2021-24756medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP System Log < 1.0.21 - Cross-Site Scripting

Nov 15, 2021 Patched in 1.0.21 (799d)
Version History

Activity Log for WordPress Release Timeline

v1.2.81 CVE
CVE-2026-1671
v1.2.72 CVEs
CVE-2026-1671 CVE-2026-24987
v1.2.62 CVEs
CVE-2026-1671 CVE-2026-24987
v1.2.52 CVEs
CVE-2026-1671 CVE-2026-24987
v1.2.43 CVEs
CVE-2026-1671 CVE-2026-24987 CVE-2025-24982
v1.2.33 CVEs
CVE-2026-1671 CVE-2026-24987 CVE-2025-24982
v1.2.23 CVEs
CVE-2026-1671 CVE-2026-24987 CVE-2025-24982
Code Analysis
Analyzed Mar 16, 2026

Activity Log for WordPress Code Analysis

Dangerous Functions
34
Raw SQL Queries
24
11 prepared
Unescaped Output
507
600 escaped
Nonce Checks
21
Capability Checks
16
File Operations
7
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserialize$request_data = unserialize($row->request_data);application\controllers\Wal_favouritelogs.php:81
unserialize$header_data = unserialize($row->header_data);application\controllers\Wal_favouritelogs.php:92
unserialize$request_data = unserialize($row->request_data);application\controllers\Wal_history.php:137
unserialize$header_data = unserialize($row->header_data);application\controllers\Wal_history.php:147
unserialize'filter_par'=> json_encode(unserialize($filter['filter_par']))application\controllers\Wal_history.php:331
unserialize$request_data = unserialize($row->request_data);application\controllers\Winteractivitylog.php:150
unserialize$header_data = unserialize($row->header_data);application\controllers\Winteractivitylog.php:161
unserialize'filter_par'=> json_encode(unserialize($filter['filter_par']))application\controllers\Winteractivitylog.php:340
unserialize$data_row['request_data'] = unserialize($row->request_data);application\models\Report_m.php:140
unserialize$data_row['header_data'] = unserialize($row->header_data);application\models\Report_m.php:141
unserialize$data_row['other_data'] = unserialize($row->other_data);application\models\Report_m.php:142
unserialize$data_row['request_data'] = unserialize($row->request_data);application\models\Report_m.php:256
unserialize$data_row['header_data'] = unserialize($row->header_data);application\models\Report_m.php:257
unserialize$data_row['other_data'] = unserialize($row->other_data);application\models\Report_m.php:258
unserialize$log_data_array = unserialize($log_data->request_data);application\views\wal_controlsecurity\control_log.php:173
unserialize$request_data = unserialize($log_data->other_data);application\views\wal_controlsecurity\control_log.php:175
unserialize$request_data = unserialize($log_data->request_data);application\views\wal_controlsecurity\control_log.php:246
unserialize$request_data = unserialize($log_data->request_data);application\views\wal_controlsecurity\control_log.php:302
unserialize$request_data = unserialize($log_data->header_data)application\views\wal_controlsecurity\control_log.php:363
unserialize$header_data = unserialize($row->header_data);application\views\wal_dashwidgets\logs_list.php:175
unserialize$request_data = unserialize($form_data->request_data);application\views\wal_history\edit_history.php:92
unserialize$request_data = unserialize($form_data->request_data);application\views\wal_history\edit_history.php:125
unserialize$request_data = unserialize($form_data->request_data);application\views\wal_history\edit_history.php:172
unserialize$request_data = unserialize($form_data->header_data)application\views\wal_history\edit_history.php:204
unserialize$form_data_array = unserialize($form_data->request_data);application\views\wal_history\edit_history.php:236
unserialize$request_data = unserialize($form_data->other_data);application\views\wal_history\edit_history.php:238
unserialize$request_data = unserialize($form_data->request_data);application\views\winteractivitylog\edit_log.php:101
unserialize$request_data = unserialize($form_data->request_data);application\views\winteractivitylog\edit_log.php:134
unserialize$request_data = unserialize($form_data->request_data);application\views\winteractivitylog\edit_log.php:181
unserialize$request_data = unserialize($form_data->header_data)application\views\winteractivitylog\edit_log.php:213
unserialize$form_data_array = unserialize($form_data->request_data);application\views\winteractivitylog\edit_log.php:245
unserialize$request_data = unserialize($form_data->other_data);application\views\winteractivitylog\edit_log.php:247
unserialize$request_data = unserialize( $row['request_data'] );includes\helper-functions.php:378
unserialize$other_data = unserialize( $row['other_data'] );includes\helper-functions.php:396

Bundled Libraries

DataTablesFreemius1.0

SQL Query Safety

31% prepared35 total queries

Output Escaping

54% escaped1107 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

10 flows6 with unsanitized paths
whitelist_custom_options_page (admin\class-winter-activity-log-admin.php:865)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Activity Log for WordPress Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_winter_activity_log_actionincludes\class-winter-activity-log.php:186
authwp_ajax_winterlock_review_actionincludes\class-winterlock-review-request.php:51
WordPress Hooks 16
actionwhitelist_optionsadmin\class-winter-activity-log-admin.php:864
actionwal_my_hourly_eventincludes\class-winter-activity-log-logger.php:79
actionplugins_loadedincludes\class-winter-activity-log.php:168
actionadmin_enqueue_scriptsincludes\class-winter-activity-log.php:182
actionadmin_enqueue_scriptsincludes\class-winter-activity-log.php:183
actionadmin_menuincludes\class-winter-activity-log.php:204
actionwp_enqueue_scriptsincludes\class-winter-activity-log.php:223
actionwp_enqueue_scriptsincludes\class-winter-activity-log.php:224
actioninitincludes\class-winter-activity-log.php:274
actionplugins_loadedincludes\class-winter-activity-log.php:282
actioninitincludes\class-winterlock-review-request.php:50
actionadmin_noticesincludes\class-winterlock-review-request.php:60
actionnetwork_admin_noticesincludes\class-winterlock-review-request.php:61
actionuser_admin_noticesincludes\class-winterlock-review-request.php:62
actionwp_dashboard_setupincludes\dash-widgets\logs-list.php:3
filterconnect_message_on_updatewinterlock.php:142

Scheduled Events 1

wal_my_hourly_event
Maintenance & Trust

Activity Log for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 11, 2026
PHP min version
Downloads11K

Community Trust

Rating88/100
Number of ratings7
Active installs60
Alternatives

Activity Log for WordPress Alternatives

WP Activity Log

WP Activity Log

wp-security-audit-log

B
82

The #1 user-rated activity log plugin for event logging, activity monitoring and change tracking.

300K 11 CVEs
Activity Log – Monitor & Record User Changes

Activity Log – Monitor & Record User Changes

aryo-activity-log

A
85

This top rated Activity Log plugin helps you monitor & log all changes and actions on your WordPress site, so you can remain secure and organized.

200K 9 CVEs
Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

wp-simple-firewall

B
83

Shield stops bot attacks before they hack your site. Bots CAN be stopped. Shield stops them.

40K 11 CVEs
Simple Page Access Restriction

Simple Page Access Restriction

simple-page-access-restriction

A
96

This plugin offers a simple way to restrict visits to select pages only to logged-in users and allows for page redirection to an existing login page.

6K 4 CVEs
User Activity Tracking and Log

User Activity Tracking and Log

user-activity-tracking-and-log

A
99

Track time and monitor user activity & history on your website, LMS online learning system, membership or WooCommerce site.

3K 2 CVEs
Developer Profile

Activity Log for WordPress Developer Profile

activity-log.com

5 plugins · 1K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
118 days
View full developer profile
Detection Fingerprints

How We Detect Activity Log for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/winterlock/admin/css/winter-activity-log-admin.css/wp-content/plugins/winterlock/public/css/winter-activity-log-public.css/wp-content/plugins/winterlock/public/js/winter-activity-log-public.js
Script Paths
/wp-content/plugins/winterlock/public/js/winter-activity-log-public.js
Version Parameters
winterlock/css/winter-activity-log-admin.css?ver=winterlock/css/winter-activity-log-public.css?ver=winterlock/js/winter-activity-log-public.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- TimeWinterLock:
FAQ

Frequently Asked Questions about Activity Log for WordPress