MalCare Stands Strong Against WP Activity Log Premium SQL Injection Vulnerability
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

A significant SQL injection vulnerability was identified in the WP Activity Log Premium plugin, a popular tool for tracking user activity on WordPress sites.
An SQLi vulnerability poses a serious risk for thousands of websites because, when exploited, it allows attackers unauthorized access to sensitive data. This type of vulnerability can also serve as a gateway for more severe attacks, compromising the security and integrity of numerous websites even further.
In case you believe your site is facing attacks stemming from this vulnerability, scan your site with MalCare right away.
However, for users protected by MalCare’s robust security system, this threat was swiftly and efficiently neutralized. Thanks to MalCare’s Atomic Security, sites under its shield were proactively protected from this potentially disastrous vulnerability. The firewall, equipped with advanced algorithms and a continuously updated threat intelligence database, detected and blocked malicious attempts exploiting this flaw.
What is the WP Activity Log Premium vulnerability?
Plugin information
With over 200,000 active installations, WP Activity Log by Melapress is one of the most popular WordPress activity log plugins. Its Premium version, which contains the vulnerability, boasts of several features like real-time user activity monitoring, one-click user logoff, report generation, email and SMS notifications, etc.

About the vulnerability
The WP Activity Log Premium vulnerability arises from the insecure implementation of the plugin’s report generation functionality. This allows for SQL injection via the entry–>roles
parameter. As a result, authenticated attackers with subscriber privileges can append additional SQL queries into already existing queries to extract sensitive information from site databases.
The plugin utilizes the ajax_generate_report()
function within the WSAL_Rep_Views_Main
class to query and subsequently convert the database report into JSON format. A significant aspect of this function is the use of the nextDate
parameter, where users can specify the filtering date for the report.

However, when inspecting the treatment of the date value, a critical lapse in security is identified as no sanitization measures are applied. Ordinarily, the prepare()
function in WordPress is employed to parameterize and sanitize SQL queries, effectively guarding against SQL injection attacks. Unfortunately, in this scenario, the $next_date
variable is merely concatenated directly into the SQL query as a string, bypassing any form of secure handling.

Moreover, following the data query, the function build_alert_details()
employs the maybe_unserialize()
function for handling roles. Herein lies a further security vulnerability—this particular handling method makes it possible for an attacker to initiate a complex UNION-based SQL injection. By crafting malicious serialized data that is leveraged within the query, an attacker could achieve a PHP Object Injection vulnerability when the data is unserialized, posing significant risks to the application.

This vulnerability has now been fixed with the release of WP Activity Log Premium v4.6.4.1 on April 9, 2024.
Who discovered this vulnerability?
The WP Activity Log Premium SQL injection vulnerability was discovered by independent WordPress security researcher 1337_Wannabe, who reported it to Wordfence’s Bug Bounty Program on February 24, 2024. Consequently, Wordfence informed Melapress, the plugin developers, on February 29, 2024, following which a patch was released on April 9, 2024.
How is your WordPress site at risk?
Hackers actively search for opportunities to exploit weaknesses, such as SQL injection vulnerabilities in WordPress plugins, including those like WP Activity Log Premium. Here’s a breakdown of how these vulnerabilities could be exploited:
Hence, we strongly recommend you update the WP Activity Log Premium plugin on your WordPress site immediately, at least to v4.6.4.1.
What are the symptoms of a hacked site?
If you have reason to suspect that your WordPress site might have fallen victim to attacks exploiting this vulnerability, check for a record in your site’s activity logs containing both the path /wp-admin/admin-ajax.php
and an action named wsal_AjaxGenerateReport
.
The presence of this path and this action could mean that your site is compromised. Take immediate action to update the WP Activity Log Premium plugin and scan and clean your site using MalCare.
How to clean your site?
When your WordPress site suffers a security breach, keeping a level head is crucial. Here are some practical measures to recover your site and enhance its security:
How does MalCare protect your site?
MalCare provides advanced security features for your WordPress site, ensuring thorough protection with its array of tools and capabilities like:
With MalCare’s comprehensive protective layer, your WordPress site benefits from both proactive and robust defenses, ensuring your online presence remains secure and uninterrupted.
Category:
Share it:
You may also like

WordPress Nonce – All You Need To Know About It
Ever clicked a link on a site and gotten a confusing error message instead of the page you expected? Maybe you were trying to submit a form or delete a…

2 Simple Fixes For index.php File Corrupted on WordPress Site?
Dealing with broken links and jumbled pages is not fun, and it’s definitely not what you want your visitors to see. A corrupted index.php file is a common reason for…

How to Check if Google is Indexing My Site? – 4 Easy Methods
You just launched a shiny new site. You’ve put in hours crafting content and setting it all up. Now, you eagerly wait for it to appear in Google search results….
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.