WordPress Plugin Vulnerabilities

User Activity Log < 1.6.3 - Admin+ SQL Injection

Description

The plugin does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin.

Proof of Concept

As an admin, visit either of the following URL's. Note that it takes several seconds for the page to load, which illustrates the SQL Injection vulnerability.

/wp-admin/admin.php?page=general_settings_menu&display=users&txtsearch=%27+AND+%28SELECT+1+FROM+%28SELECT%28SLEEP%281%29%29%29x%29+AND+%27x%27%3D%27

/wp-admin/admin.php?page=user_action_log&txtsearch=%27+AND+%28SELECT+1+FROM+%28SELECT%28SLEEP%281%29%29%29x%29+AND+%27x%27%3D%27

Affects Plugins

Plugin icon
user-activity-log
Fixed in 1.6.3

References

CVE
CVE-2023-2761

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Ilyase Dehy and Aymane Mazguiti
Submitter
Aymane Mazguiti
Verified
Yes
WPVDB ID
8c82d317-f9f9-4e25-a7f1-43edb77e8aba

Timeline

Publicly Published
2023-07-03 (about 4 months ago)
Added
2023-07-03 (about 4 months ago)
Last Updated
2023-07-03 (about 4 months ago)

Other

Published
Title
Published
2022-12-09
Title
WP User <= 7.0 - Unauthenticated SQLi
Published
2015-04-28
Title
rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection
Published
2015-03-17
Title
Gravity Forms 1.8 <= 1.9.3.5 - Authenticated Blind SQL Injection
Published
2014-08-01
Title
Eventify - Simple Events <= 1.7.f - SQL Injection
Published
2017-01-28
Title
FormBuilder <= 1.0.7 - Multiple Authenticated SQL Injection