WordPress Plugin Vulnerabilities

User Activity Tracking and Log < 4.0.9 - License Update/Deactivation via CSRF

Description

The plugin does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
user-activity-tracking-and-log
Fixed in 4.0.9

References

CVE
CVE-2023-4150

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
381ef15b-aafe-4ef4-a0bc-867d891f7f44

Timeline

Publicly Published
2023-08-07 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2025-02-24
Title
Erima Zarinpal Donate <= 1.0 - Cross-Site Request Forgery
Published
2025-11-05
Title
Easy Email Subscription < 1.3.1 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion
Published
2014-08-01
Title
Dailydeal by Templatic - CSRF File Upload
Published
2025-06-05
Title
Interactive Regional Map of Africa <= 1.0 - Cross-Site Request Forgery
Published
2025-03-28
Title
OmniLeads Scripts and Tags Manager <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting