Authorization Bypass in WP Activity Log Plugin for WordPress
CVE-2020-36716

7.3HIGH

Key Information:

Vendor: Wordpress
Status: WP Activity Log
Vendor: CVE Published:; 7 June 2023

What is CVE-2020-36716?

The WP Activity Log plugin for WordPress has a vulnerability that allows unauthorized users to exploit a missing capability check in the setup_page function. This flaw can lead to unauthenticated attacks, permitting users to initiate the setup wizard and access sensitive plugin configuration settings if the wizard has not been previously completed.

Affected Version(s)

WP Activity Log * < 4.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://blog.nintechnet.com/vulnerabilities-fixed-in-word...

https://plugins.trac.wordpress.org/changeset/2252006

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 7, 2023
Vulnerability Reserved
Jun 6, 2023

Credit

Jerome Bruandet