WordPress Plugin Vulnerabilities

WP Activity Log < 4.1.5 - SQL Injection in External Database Module

Description

Two SQL Injection vulnerabilities were identified in the WP Activity Log WordPress plugin.

The changelog of the plugin states:

"SQL Injection in external database module reported by WP deeply. Thank you for the responsible disclosure."

Affects Plugins

Plugin icon
wp-security-audit-log
Fixed in 4.1.5

References

URL
https://plugins.trac.wordpress.org/changeset/2412493/wp-security-audit-log
URL
https://github.com/WPWhiteSecurity/wp-activity-log/commit/150c6828e05f50b6a119109f0f392cd9e87ff217

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Original Researcher
WP deeply
Verified
No
WPVDB ID
4ec13b3c-7fc9-4d9a-98f5-e59187d128a4

Timeline

Publicly Published
2020-11-02 (about 5 years ago)
Added
2020-11-08 (about 5 years ago)
Last Updated
2020-11-09 (about 5 years ago)

Other

Published
Title
Published
2024-07-19
Title
FormLift for Infusionsoft Web Forms < 7.5.18 - Unauthenticated SQL Injection
Published
2025-10-23
Title
MasterStudy LMS < 3.6.28 - Authenticated (Instructor+) SQL Injection
Published
2022-01-25
Title
AP Custom Testimonial < 1.4.8 - Admin+ SQL Injection
Published
2025-05-07
Title
PDF Invoices for WooCommerce + Drag and Drop Template Builder < 5.4.0 - Authenticated (Administrator+) SQL Injection
Published
2015-07-16
Title
Plugmatter Optin Feature Box <= 2.0.13 - Unauthenticated Blind SQL Injection