WordPress Plugin Vulnerabilities

User Activity Tracking and Log < 4.1.4 - IP Spoofing

Description

This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.

Proof of Concept

Affects Plugins

Plugin icon
user-activity-tracking-and-log
Fixed in 4.1.4

References

CVE
CVE-2024-0970
URL
https://research.cleantalk.org/cve-2024-0970-user-activity-tracking-and-log-ip-spoofing/

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
7df6877c-6640-41be-aacb-20c7da61e4db

Timeline

Publicly Published
2024-01-29 (about 1 year ago)
Added
2024-01-29 (about 1 year ago)
Last Updated
2024-02-06 (about 1 year ago)

Other

Published
Title
Published
2023-12-27
Title
Rate my Post < 3.4.3 - IP Spoofing
Published
2024-02-12
Title
Defender Security < 4.4.2 - IP Address Spoofing
Published
2024-10-07
Title
Limit Login Attempts (Spam Protection) < 5.4 - IP Address Spoofing to Protection Mechanism Bypass
Published
2025-10-09
Title
All In One Login 2.0.8 - IP Sooofing to Protection Mechanism Bypass
Published
2024-03-28
Title
Newsletter < 8.2.1 - IP Spoofing