CVE-2025-11877 is a missing authorization vulnerability (CWE-862) in the User Activity Log plugin for WordPress by solwininfotech, affecting versions up to and including 2.2. The vulnerability arises because the failed-login handler 'ual_shook_wp_login_failed' does not perform capability checks before writing failed usernames into update_option() calls. This allows unauthenticated attackers to modify select site options from zero to non-zero values, which can lead to reopening user registration or corrupting critical options like 'wp_user_roles'. Such corruption can disrupt administrative access to the WordPress dashboard. The vulnerability has a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high impact on integrity without affecting confidentiality or availability. No patch or remediation guidance is currently provided by the vendor, and no known exploits have been observed in the wild. CVE-2025-13471 is considered a duplicate of this vulnerability.

An unauthenticated attacker can exploit this vulnerability to modify certain WordPress site options without authorization. This can result in reopening user registration or corrupting critical options such as 'wp_user_roles', which may break administrative access to the WordPress backend. The integrity of the site configuration is compromised, potentially allowing persistent unauthorized changes. There is no impact on confidentiality or availability reported. No known exploits are currently in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should monitor for updates from solwininfotech regarding this vulnerability. As no official patch or temporary fix is currently available, consider restricting access to the affected plugin or disabling it if feasible to reduce exposure.