Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "2.4.1"
}
],
"source": "CPE_RANGE",
"vendor_product": "pojo:activity_log",
"cpes": [
"cpe:2.3:a:pojo:activity_log:*:*:*:*:*:wordpress:*:*"
]
}
]
}