$400 Bounty Awarded for SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin
🎉 Did you know we’re running a Bug Bounty Extravaganza again?
Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!
On February 24th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Injection vulnerability in WP Activity Log Premium, a WordPress plugin with more than 20,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.
Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $400.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.
We reached out to Melapress on February 29, 2024 via their contact form. Since we did not receive a reply, we tried another contact method on March 27, 2024, and received a response on March 27, 2024. After providing full disclosure details, the developer released a patch on April 9, 2024. We would like to commend Melapress for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of WP Activity Log Premium, which is version 4.6.4.1, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Description: WP Activity Log Premium roles );
A researcher presented us with a chained UNION-based SQL injection attack that allows an attacker to craft malicious serialized data using the query, which when unserialized, results in a PHP Object Injection vulnerability.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious SQL query and blocks the request.
Disclosure Timeline
February 24, 2024 – We receive the submission of the SQL Injection vulnerability in WP Activity Log Premium via the Wordfence Bug Bounty Program.
February 28, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 29, 2024 – We initiate contact via contact form with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 27, 2024 – We try again to initiate contact via email with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 27, 2024 – The vendor confirms the inbox for handling the discussion.
March 27, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 9, 2024 – The fully patched version of the plugin, 4.6.4.1, is released.
Conclusion
In this blog post, we detailed a SQL Injection vulnerability within the WP Activity Log Premium plugin affecting versions 4.6.4 and earlier. This vulnerability allows authenticated threat actors to inject malicious SQL queries to steal sensitive information from the database. The vulnerability has been fully addressed in version 4.6.4.1 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Activity Log Premium.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Source: wordfence.com