WP Activity Log Security & Risk Analysis
wordpress.org/plugins/wp-security-audit-logThe #1 user-rated activity log plugin for event logging, activity monitoring and change tracking.
Is WP Activity Log Safe to Use in 2026?
Mostly Safe
Score 82/100WP Activity Log is generally safe to use. 11 past CVEs were resolved. Keep it updated.
The wp-security-audit-log plugin version 5.6.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling with 85% using prepared statements and a high percentage of properly escaped outputs. The presence of numerous nonce and capability checks also indicates an effort towards securing its functionalities. However, significant concerns arise from the substantial attack surface, particularly the 13 unprotected AJAX handlers, which present a prime target for unauthorized actions. The identified taint flow with high severity and unsanitized paths, coupled with the use of the `unserialize` function, points to potential vulnerabilities like deserialization attacks and cross-site scripting. The plugin's history of 11 known CVEs, including past critical and high-severity issues, although none are currently unpatched, suggests a pattern of past exploitable weaknesses that require diligent maintenance and timely updates. The last vulnerability in 2026 suggests the data may be from the future or an error, but the sheer volume and types of past vulnerabilities are concerning.
Key Concerns
- Unprotected AJAX handlers
- Taint flow with high severity and unsanitized path
- Use of 'unserialize' function
- Bundled outdated library (Select2 v3.5.1)
- High number of known past CVEs (11 total)
- Past critical severity vulnerabilities
- Past high severity vulnerabilities
WP Activity Log Security Vulnerabilities
CVEs by Year
Severity Breakdown
11 total CVEs
Activity Log <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
WP Activity Log <= 5.3.2 - Authenticated (Admin+) PHP Object Injection
WP Activity Log <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting
WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter
WP Activity Log <= 4.6.1 - Unauthenticated Stored Cross-Site Scripting
WP Activity Log <= 4.1.4 - SQL Injection
WP Activity Log <= 4.0.1 - Missing Authorization
Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update
WP Security Audit Log <= 3.1.1 - Sensitive Information Disclosure
WP Activity Log 1.5 - 2.4.3 - Reflected Cross-Site Scripting
WP Activity Log <= 1.2.4 - Cross-Site Request Forgery
WP Activity Log Code Analysis
Dangerous Functions Found
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
WP Activity Log Attack Surface
AJAX Handlers 22
WordPress Hooks 191
Maintenance & Trust
WP Activity Log Maintenance & Trust
Maintenance Signals
Community Trust
WP Activity Log Alternatives
Unbranded Portal Connector
unbranded-portal-connector
Log all of your user activity and report directly into your Unbranded Portal, without bloating your database.
Adminify Activity Logs
adminify-activity-logs
Track WordPress dashboard activities with this free plugin. Monitor user actions, filter by time, role for complete site security and accountability
Complete Security, Activity Log & WooCommerce Analytics Tracker – Activity Guard
notifier-to-slack
Track user, support forum & system activity log, monitor WooCommerce analytics with complete WordPress Security with activity guard.
ActivityLog – wordpress logging for actions inside admin
activitylog
A WordPress plugin that logs user logins, logouts, post/page creation/updates/deletion, and plugin activation/deactivation/deletion events.
Simple History – Track, Log, and Audit WordPress Changes
simple-history
Track changes and user activities on your WordPress site. See who created a page, uploaded an attachment, and more, for a complete audit trail.
WP Activity Log Developer Profile
6 plugins · 417K total installs
How We Detect WP Activity Log
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/wp-security-audit-log/css/main.css/wp-content/plugins/wp-security-audit-log/css/modal.css/wp-content/plugins/wp-security-audit-log/css/bootstrap-toggle.css/wp-content/plugins/wp-security-audit-log/css/bootstrap-datetimepicker.min.css/wp-content/plugins/wp-security-audit-log/css/tooltipster.css/wp-content/plugins/wp-security-audit-log/css/tooltipster.bundle.min.css/wp-content/plugins/wp-security-audit-log/css/jquery.dataTables.min.css/wp-content/plugins/wp-security-audit-log/css/select2.min.css+48 more/wp-content/plugins/wp-security-audit-log/js/wsal-login-script.js/wp-content/plugins/wp-security-audit-log/js/wsal-admin-script.js/wp-content/plugins/wp-security-audit-log/js/wsal-dashboard-script.js/wp-content/plugins/wp-security-audit-log/js/wsal-settings-script.js/wp-content/plugins/wp-security-audit-log/js/wsal-utils.js/wp-content/plugins/wp-security-audit-log/js/wsal-activity-log-script.js+18 morewp-security-audit-log/style.css?ver=wp-security-audit-log/css/main.css?ver=wp-security-audit-log/css/modal.css?ver=wp-security-audit-log/css/bootstrap-toggle.css?ver=wp-security-audit-log/css/bootstrap-datetimepicker.min.css?ver=wp-security-audit-log/css/tooltipster.css?ver=wp-security-audit-log/css/tooltipster.bundle.min.css?ver=wp-security-audit-log/css/jquery.dataTables.min.css?ver=wp-security-audit-log/css/select2.min.css?ver=wp-security-audit-log/css/selectize.bootstrap3.css?ver=wp-security-audit-log/css/bootstrap-editable.css?ver=wp-security-audit-log/css/style.css?ver=wp-security-audit-log/css/bootstrap-slider.css?ver=wp-security-audit-log/css/font-awesome.min.css?ver=wp-security-audit-log/css/WSAL_Style.css?ver=wp-security-audit-log/css/WSAL_bootstrap_compat.css?ver=wp-security-audit-log/css/WSAL_Bootstrap_Buttons.css?ver=wp-security-audit-log/css/WSAL_Admin.css?ver=wp-security-audit-log/css/WSAL_login.css?ver=wp-security-audit-log/css/bootstrap-theme.min.css?ver=wp-security-audit-log/css/bootstrap.min.css?ver=wp-security-audit-log/js/wsal-login-script.js?ver=wp-security-audit-log/js/wsal-admin-script.js?ver=wp-security-audit-log/js/wsal-dashboard-script.js?ver=wp-security-audit-log/js/wsal-settings-script.js?ver=wp-security-audit-log/js/wsal-utils.js?ver=wp-security-audit-log/js/wsal-activity-log-script.js?ver=wp-security-audit-log/js/wsal-event-details-script.js?ver=wp-security-audit-log/js/wsal-notifications-script.js?ver=wp-security-audit-log/js/wsal-widgets-script.js?ver=wp-security-audit-log/js/wsal-addons-script.js?ver=wp-security-audit-log/js/bootstrap.min.js?ver=wp-security-audit-log/js/bootstrap-toggle.min.js?ver=wp-security-audit-log/js/bootstrap-datetimepicker.min.js?ver=wp-security-audit-log/js/bootstrap-editable.min.js?ver=wp-security-audit-log/js/bootstrap-slider.min.js?ver=wp-security-audit-log/js/tooltipster.bundle.min.js?ver=wp-security-audit-log/js/jquery.dataTables.min.js?ver=wp-security-audit-log/js/dataTables.bootstrap.js?ver=wp-security-audit-log/js/select2.full.js?ver=wp-security-audit-log/js/selectize.min.js?ver=wp-security-audit-log/js/moment.min.js?ver=wp-security-audit-log/js/moment-with-locales.min.js?ver=wp-security-audit-log/js/wsal-premium-dashboard-script.js?ver=wp-security-audit-log/js/wsal-premium-settings-script.js?ver=wp-security-audit-log/js/wsal-premium-activity-log-script.js?ver=wp-security-audit-log/js/wsal-premium-event-details-script.js?ver=wp-security-audit-log/js/wsal-premium-notifications-script.js?ver=wp-security-audit-log/js/wsal-premium-widgets-script.js?ver=wp-security-audit-log/js/wsal-premium-addons-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-dashboard-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-settings-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-activity-log-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-event-details-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-notifications-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-widgets-script.js?ver=wp-security-audit-log/js/premium-js/wsal-premium-addons-script.js?ver=HTML / DOM Fingerprints
wsal-login-pagewsal-activity-log-pagewsal-settings-pagewsal-dashboard-pagewsal-add-ons-pagewsal-event-details-pagewsal-notification-pagewsal-widgets-page+2 more/* @free:start *//* @free:end */data-toggledata-targetdata-triggerdata-placementdata-contentdata-original-title+7 morewsal_login_varswsal_admin_varswsal_dashboard_varswsal_settings_varswsal_activity_log_varswsal_event_details_vars+11 more/wp-json/wsal/v1/logs/wp-json/wsal/v1/logs/(?P<id>\d+)/wp-json/wsal/v1/settings/wp-json/wsal/v1/settings/(?P<key>.*)/wp-json/wsal/v1/notifications/wp-json/wsal/v1/notifications/(?P<id>\d+)/wp-json/wsal/v1/widgets/wp-json/wsal/v1/widgets/(?P<id>\d+)