User Activity Log < 1.6.5 - Unauthenticated SQLi
CVE-2023-3435

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: User Activity Log
Vendor: CVE Published:; 14 August 2023

What is CVE-2023-3435?

The User Activity Log Plugin for WordPress prior to version 1.6.5 contains a flaw that allows unauthenticated attackers to execute SQL injection attacks. This is due to improper sanitization and escaping of input parameters when generating SQL statements during the export feature. Exploiting this vulnerability could enable attackers to manipulate database queries, potentially leading to unauthorized data disclosure or alteration.

Affected Version(s)

User Activity Log 0 < 1.6.5

References

https://wpscan.com/vulnerability/30a37a61-0d16-46f7-b9d8-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 14, 2023
Vulnerability Reserved
Jun 27, 2023

Credit

Marc Montpas

WPScan

Wordpress

What is CVE-2023-3435?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit