$400 Bounty Awarded for SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On February 24th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an authenticated SQL Injection vulnerability in WP Activity Log Premium, a WordPress plugin with more than 20,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $400.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

We reached out to Melapress on February 29, 2024 via their contact form. Since we did not receive a reply, we tried another contact method on March 27, 2024, and received a response on March 27, 2024. After providing full disclosure details, the developer released a patch on April 9, 2024. We would like to commend Melapress for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Activity Log Premium, which is version 4.6.4.1, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber privileges and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. One demonstrated attack included the injection of a PHP Object.

Technical Analysis

The WP Activity Log Premium plugin is the premium version of the popular WP Activity Log WordPress plugin, which includes many premium features and functions.

Unfortunately, insecure implementation of the plugin’s report generation functionality allows for SQL injection. Examining the code reveals that the plugin uses the ajax_generate_report() function in the WSAL_Rep_Views_Main class to query the report from the database, then generate JSON from it, where the next date filter can be specified with the ‘nextDate’ parameter.

$filters[‘nextDate’] = $_POST[‘nextDate’];
$next_date = ( empty( $filters[‘nextDate’] ) ? null : $filters[‘nextDate’] );

Examining the code reveals that no sanitization function is being used on the date value.

Typically, the prepare() function would parameterize and escape the SQL query for safe execution in WordPress, thereby providing protection against SQL injection attacks. But, in this instance, the $next_date value is not used as a parameter, it is just appended to the query as a string.

if ( ! empty( $next_date ) ) {
$sql .= ‘ AND occ.created_on < ‘ . $next_date;
}

After the query, the build_alert_details() function uses maybe_unserialize() for roles.

$roles = maybe_unserialize( $entry->roles );

A researcher presented us with a chained UNION-based SQL injection attack that allows an attacker to craft malicious serialized data using the query, which when unserialized, results in a PHP Object Injection vulnerability.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious SQL query and blocks the request.

Disclosure Timeline

February 24, 2024 – We receive the submission of the SQL Injection vulnerability in WP Activity Log Premium via the Wordfence Bug Bounty Program.
February 28, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 29, 2024 – We initiate contact via contact form with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 27, 2024 – We try again to initiate contact via email with the plugin vendor asking that they confirm the inbox for handling the discussion.
March 27, 2024 – The vendor confirms the inbox for handling the discussion.
March 27, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 9, 2024 – The fully patched version of the plugin, 4.6.4.1, is released.

Conclusion

In this blog post, we detailed a SQL Injection vulnerability within the WP Activity Log Premium plugin affecting versions 4.6.4 and earlier. This vulnerability allows authenticated threat actors to inject malicious SQL queries to steal sensitive information from the database. The vulnerability has been fully addressed in version 4.6.4.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Activity Log Premium.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post $400 Bounty Awarded for SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin appeared first on Wordfence.

Leave a Comment