User Activity Log < 1.6.7 - IP Spoofing
CVE-2023-4279

7.5HIGH

Key Information:

Vendor: Wordpress
Status: User Activity Log
Vendor: CVE Published:; 4 September 2023

Badges

👾 Exploit Exists

Summary

The User Activity Log WordPress plugin versions before 1.6.7 are vulnerable due to improper retrieval of client IP addresses from potentially untrusted headers. This flaw enables attackers to tamper with the IP address values, which can be exploited to obscure the origin of harmful traffic, thereby compromising the security of the WordPress site.

Affected Version(s)

User Activity Log 0 < 1.6.7

References

https://wpscan.com/vulnerability/2bd2579e-b383-4d12-b207-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 24, 2023
👾
Exploit known to exist
Sep 24, 2023
Vulnerability published
Sep 4, 2023
Vulnerability Reserved
Aug 9, 2023

Credit

Bartlomiej Marek and Tomasz Swiadek

WPScan