WordPress Plugin Vulnerabilities

WP Security Audit Log < 4.0.2 - Broken Access Control in First-Time Install Wizard

Description

Broken access control vulnerability affecting version 4.0.1 and below that could lead to privilege escalation, sensitive data exposure and insecure deserialisation.
To exploit the vulnerability, the wizard must not have been completed, otherwise it won’t work

Affects Plugins

Plugin icon
wp-security-audit-log
Fixed in 4.0.2

References

CVE
CVE-2020-36716
URL
https://blog.nintechnet.com/vulnerabilities-fixed-in-wordpress-wp-security-audit-log-plugin/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet.com)
Verified
No
WPVDB ID
a86adca0-dda7-4880-8019-02927d0b147a

Timeline

Publicly Published
2020-03-08 (about 6 years ago)
Added
2020-03-08 (about 6 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2025-07-28
Title
Custom API for WP < 4.2.3 - Subscriber+ Privilege Escalation
Published
2024-12-20
Title
AdForest < 5.1.7 - Privilege Escalation via Password Reset/Account Takeover
Published
2026-02-20
Title
Wholesale Suite < 2.2.7 - Authenticated (Shop Manager) Privilege Escalation
Published
2023-08-03
Title
WP Ultimate CSV Importer < 7.9.9 - Author+ Privilege Escalation
Published
2016-02-10
Title
Woocommerce Store Toolkit < 1.5.8 - Privilege Escalation