CVE-2025-11877 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the solwininfotech User Activity Log WordPress plugin, specifically versions up to and including 2.2. The issue stems from the failed-login handler function 'ual_shook_wp_login_failed', which lacks proper capability checks before executing update_option() calls. This function writes failed login usernames directly into site options without verifying if the requester is authorized. As a result, unauthenticated attackers can manipulate certain site options by pushing their values from zero to non-zero. This manipulation can reopen user registration on the site or corrupt critical options like 'wp_user_roles', which define user roles and capabilities within WordPress. Corruption of 'wp_user_roles' can break administrative access, effectively locking out legitimate administrators from the wp-admin dashboard. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation and the high impact on integrity, though confidentiality and availability are not directly affected. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. The vulnerability was reserved in October 2025 and published in January 2026. Given the widespread use of WordPress and the popularity of activity log plugins, this vulnerability poses a significant threat to affected sites.

The primary impact of CVE-2025-11877 is on the integrity of WordPress site configurations. By allowing unauthenticated attackers to modify site options, the vulnerability can lead to unauthorized reopening of user registrations, enabling attackers to create accounts or escalate privileges. More critically, corruption of the 'wp_user_roles' option can disable or alter user roles and permissions, potentially locking out legitimate administrators and preventing site management. This can result in prolonged site downtime, loss of administrative control, and increased risk of further compromise. Although confidentiality and availability are not directly impacted, the loss of administrative access can indirectly affect site availability and security posture. Organizations relying on the affected plugin face risks of unauthorized configuration changes, potential privilege escalation, and operational disruption. The ease of remote exploitation without authentication increases the likelihood of attacks, especially on sites with public-facing login pages. The absence of known exploits in the wild suggests limited current exploitation but also highlights the need for proactive mitigation before attackers develop weaponized exploits.

1. Immediate mitigation involves disabling or uninstalling the solwininfotech User Activity Log plugin until an official patch is released. 2. Monitor WordPress plugin repositories and vendor communications for updates or patches addressing CVE-2025-11877 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to block or rate-limit requests targeting the failed-login handler or suspicious update_option() calls, especially those attempting to modify site options without authentication. 4. Restrict access to wp-admin and login endpoints using IP whitelisting or VPN access where feasible to reduce exposure. 5. Regularly back up WordPress site configurations, including the database, to enable quick restoration of 'wp_user_roles' and other critical options if corrupted. 6. Audit site options and user roles frequently to detect unauthorized changes early. 7. Employ intrusion detection systems (IDS) to monitor for anomalous activity related to option updates. 8. Educate site administrators about this vulnerability and encourage vigilance regarding unexpected changes in user registration settings or administrative access issues. 9. Consider deploying security plugins that enforce capability checks or harden option update mechanisms as an interim protective measure.