User Activity Log < 1.6.3 - Admin+ SQL Injection
CVE-2023-2761
7.2HIGH
Summary
The User Activity Log plugin for WordPress prior to version 1.6.3 contains a SQL injection vulnerability that allows users with elevated privileges, such as admin, to exploit the inadequately sanitized txtsearch parameter utilized in SQL queries. This flaw may grant unauthorized access to sensitive data and poses significant security risks, emphasizing the need for immediate updates and proper coding practices in plugin development.
Affected Version(s)
User Activity Log 0 < 1.6.3
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Ilyase Dehy and Aymane Mazguiti
WPScan