CVE-2025-11877 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the User Activity Log plugin developed by solwininfotech for WordPress. The flaw exists in versions up to and including 2.2, where the failed-login handler function 'ual_shook_wp_login_failed' does not perform any capability or authorization checks before invoking WordPress's update_option() function. This improper access control allows unauthenticated attackers to push changes to certain site options by submitting failed login attempts with crafted usernames. Specifically, attackers can set options from zero to non-zero values, which can reopen user registration on the site or corrupt critical options like 'wp_user_roles'. Corruption of 'wp_user_roles' can break administrative access to the WordPress backend (wp-admin), effectively locking out legitimate administrators. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation and the high impact on integrity, although confidentiality and availability impacts are minimal. No patches or known exploits are currently reported, but the vulnerability's presence in a widely used plugin poses a significant risk to WordPress sites that have not updated or mitigated the issue.

For European organizations, this vulnerability poses a serious risk to WordPress-based websites that utilize the User Activity Log plugin. Successful exploitation can lead to unauthorized modification of site configurations, such as reopening user registrations, which could facilitate further attacks or spam registrations. More critically, corruption of the 'wp_user_roles' option can lock out administrators, disrupting website management and potentially causing prolonged downtime or loss of control over the site. This can impact business continuity, brand reputation, and compliance with data protection regulations like GDPR if site integrity is compromised. Organizations relying on WordPress for customer-facing portals, intranets, or e-commerce platforms are particularly vulnerable. Given the plugin’s broad usage, especially among small to medium enterprises and agencies in Europe, the threat could affect a wide range of sectors including retail, education, and public services. The lack of authentication requirement and remote exploitability make this vulnerability attractive to opportunistic attackers and automated scanning tools.

Immediate mitigation steps include disabling or uninstalling the User Activity Log plugin until a patched version is released. If disabling is not feasible, restrict access to wp-login.php and related endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure to unauthenticated requests. Implement monitoring for unusual failed login attempts and changes to site options, especially 'wp_user_roles' and registration settings. Backup WordPress databases regularly to enable quick restoration in case of corruption. Review and harden WordPress user roles and permissions to minimize the impact of potential configuration changes. Stay alert for official patches or updates from solwininfotech and apply them promptly once available. Additionally, consider deploying security plugins that enforce stricter authorization checks on option updates or provide enhanced login security features. Conduct internal audits of installed plugins to identify and remediate similar authorization issues proactively.