A significant SQL injection vulnerability was identified in the WP Activity Log Premium plugin, a popular tool for tracking user activity on WordPress sites. 

An SQLi vulnerability poses a serious risk for thousands of websites because, when exploited, it allows attackers unauthorized access to sensitive data. This type of vulnerability can also serve as a gateway for more severe attacks, compromising the security and integrity of numerous websites even further.

In case you believe your site is facing attacks stemming from this vulnerability, scan your site with MalCare right away.

However, for users protected by MalCare’s robust security system, this threat was swiftly and efficiently neutralized. Thanks to MalCare’s Atomic Security, sites under its shield were proactively protected from this potentially disastrous vulnerability. The firewall, equipped with advanced algorithms and a continuously updated threat intelligence database, detected and blocked malicious attempts exploiting this flaw.

What is the WP Activity Log Premium vulnerability?

Plugin information

With over 200,000 active installations, WP Activity Log by Melapress is one of the most popular WordPress activity log plugins. Its Premium version, which contains the vulnerability, boasts of several features like real-time user activity monitoring, one-click user logoff, report generation, email and SMS notifications, etc.

About the vulnerability

The WP Activity Log Premium vulnerability arises from the insecure implementation of the plugin’s report generation functionality. This allows for SQL injection via the entry–>roles parameter. As a result, authenticated attackers with subscriber privileges can append additional SQL queries into already existing queries to extract sensitive information from site databases.

The plugin utilizes the ajax_generate_report() function within the WSAL_Rep_Views_Main class to query and subsequently convert the database report into JSON format. A significant aspect of this function is the use of the nextDate parameter, where users can specify the filtering date for the report.

However, when inspecting the treatment of the date value, a critical lapse in security is identified as no sanitization measures are applied. Ordinarily, the prepare() function in WordPress is employed to parameterize and sanitize SQL queries, effectively guarding against SQL injection attacks. Unfortunately, in this scenario, the $next_date variable is merely concatenated directly into the SQL query as a string, bypassing any form of secure handling.

Moreover, following the data query, the function build_alert_details() employs the maybe_unserialize() function for handling roles. Herein lies a further security vulnerability—this particular handling method makes it possible for an attacker to initiate a complex UNION-based SQL injection. By crafting malicious serialized data that is leveraged within the query, an attacker could achieve a PHP Object Injection vulnerability when the data is unserialized, posing significant risks to the application.

This vulnerability has now been fixed with the release of WP Activity Log Premium v4.6.4.1 on April 9, 2024.

Who discovered this vulnerability?

The WP Activity Log Premium SQL injection vulnerability was discovered by independent WordPress security researcher 1337_Wannabe, who reported it to Wordfence’s Bug Bounty Program on February 24, 2024. Consequently, Wordfence informed Melapress, the plugin developers, on February 29, 2024, following which a patch was released on April 9, 2024.

How is your WordPress site at risk?

Hackers actively search for opportunities to exploit weaknesses, such as SQL injection vulnerabilities in WordPress plugins, including those like WP Activity Log Premium. Here’s a breakdown of how these vulnerabilities could be exploited:

Hence, we strongly recommend you update the WP Activity Log Premium plugin on your WordPress site immediately, at least to v4.6.4.1.

What are the symptoms of a hacked site?

If you have reason to suspect that your WordPress site might have fallen victim to attacks exploiting this vulnerability, check for a record in your site’s activity logs containing both the path /wp-admin/admin-ajax.php and an action named wsal_AjaxGenerateReport.

The presence of this path and this action could mean that your site is compromised. Take immediate action to update the WP Activity Log Premium plugin and scan and clean your site using MalCare.

How to clean your site?

When your WordPress site suffers a security breach, keeping a level head is crucial. Here are some practical measures to recover your site and enhance its security:

How does MalCare protect your site?

MalCare provides advanced security features for your WordPress site, ensuring thorough protection with its array of tools and capabilities like:

With MalCare’s comprehensive protective layer, your WordPress site benefits from both proactive and robust defenses, ensuring your online presence remains secure and uninterrupted.