MalCare Stands Strong Against WP Activity Log Premium SQL Injection Vulnerability

by

Anurag Changmai

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Protect Site for Free

A significant SQL injection vulnerability was identified in the WP Activity Log Premium plugin, a popular tool for tracking user activity on WordPress sites. 

An SQLi vulnerability poses a serious risk for thousands of websites because, when exploited, it allows attackers unauthorized access to sensitive data. This type of vulnerability can also serve as a gateway for more severe attacks, compromising the security and integrity of numerous websites even further.

In case you believe your site is facing attacks stemming from this vulnerability, scan your site with MalCare right away.

However, for users protected by MalCare’s robust security system, this threat was swiftly and efficiently neutralized. Thanks to MalCare’s Atomic Security, sites under its shield were proactively protected from this potentially disastrous vulnerability. The firewall, equipped with advanced algorithms and a continuously updated threat intelligence database, detected and blocked malicious attempts exploiting this flaw.

What is the WP Activity Log Premium vulnerability?

Plugin information

  • Vulnerable plugin version: v4.6.4 and earlier
  • Patch release version: v4.6.4.1 and newer

With over 200,000 active installations, WP Activity Log by Melapress is one of the most popular WordPress activity log plugins. Its Premium version, which contains the vulnerability, boasts of several features like real-time user activity monitoring, one-click user logoff, report generation, email and SMS notifications, etc.

WP Activity Log plugin
WP Activity Log plugin

About the vulnerability

The WP Activity Log Premium vulnerability arises from the insecure implementation of the plugin’s report generation functionality. This allows for SQL injection via the entry–>roles parameter. As a result, authenticated attackers with subscriber privileges can append additional SQL queries into already existing queries to extract sensitive information from site databases.

The plugin utilizes the ajax_generate_report() function within the WSAL_Rep_Views_Main class to query and subsequently convert the database report into JSON format. A significant aspect of this function is the use of the nextDate parameter, where users can specify the filtering date for the report.

WP Activity Log plugin vulnerable code 1
Vulnerable code 1

However, when inspecting the treatment of the date value, a critical lapse in security is identified as no sanitization measures are applied. Ordinarily, the prepare() function in WordPress is employed to parameterize and sanitize SQL queries, effectively guarding against SQL injection attacks. Unfortunately, in this scenario, the $next_date variable is merely concatenated directly into the SQL query as a string, bypassing any form of secure handling.

WP Activity Log plugin vulnerable code 2
Vulnerable code 2

Moreover, following the data query, the function build_alert_details() employs the maybe_unserialize() function for handling roles. Herein lies a further security vulnerability—this particular handling method makes it possible for an attacker to initiate a complex UNION-based SQL injection. By crafting malicious serialized data that is leveraged within the query, an attacker could achieve a PHP Object Injection vulnerability when the data is unserialized, posing significant risks to the application.

WP Activity Log plugin vulnerable code 3
Vulnerable code 3

This vulnerability has now been fixed with the release of WP Activity Log Premium v4.6.4.1 on April 9, 2024.

Who discovered this vulnerability?

The WP Activity Log Premium SQL injection vulnerability was discovered by independent WordPress security researcher 1337_Wannabe, who reported it to Wordfence’s Bug Bounty Program on February 24, 2024. Consequently, Wordfence informed Melapress, the plugin developers, on February 29, 2024, following which a patch was released on April 9, 2024.

How is your WordPress site at risk?

Hackers actively search for opportunities to exploit weaknesses, such as SQL injection vulnerabilities in WordPress plugins, including those like WP Activity Log Premium. Here’s a breakdown of how these vulnerabilities could be exploited:

  • Extracting sensitive data: Through SQL injection, hackers can retrieve sensitive information from the WordPress database. This could include details such as user profiles, email addresses, passwords (even hashed passwords may be targeted for cracking), and other personal data on the site.
  • Modifying database information: Beyond theft of data, attackers can manipulate it. They could alter prices in an eCommerce setting, change user roles (e.g., upgrading a standard user to an admin), or embed malicious content within the site’s posts or pages.
  • Website defacement: Hackers can also use SQL injection to alter a website’s content with their own, which might be to disseminate specific messages or merely to demonstrate their capabilities.
  • Denial of service: Sometimes the objective is to disrupt the service. By tampering with SQL queries, attackers can remove essential data or cause database overloads, which could crash the site.
  • Planting backdoors: Utilizing SQL injection vulnerabilities might also enable hackers to install backdoors on the WordPress site. This grants them persistent access to the site’s backend, which remains a threat even after the initial vulnerability has been addressed.

Hence, we strongly recommend you update the WP Activity Log Premium plugin on your WordPress site immediately, at least to v4.6.4.1.

What are the symptoms of a hacked site?

If you have reason to suspect that your WordPress site might have fallen victim to attacks exploiting this vulnerability, check for a record in your site’s activity logs containing both the path /wp-admin/admin-ajax.php and an action named wsal_AjaxGenerateReport.

The presence of this path and this action could mean that your site is compromised. Take immediate action to update the WP Activity Log Premium plugin and scan and clean your site using MalCare.

How to clean your site?

When your WordPress site suffers a security breach, keeping a level head is crucial. Here are some practical measures to recover your site and enhance its security:

  • Initiate a MalCare scan: First, install MalCare to eradicate any present malware swiftly. This foundational step is critical in regaining control and shielding your site against future threats with MalCare’s Atomic Security feature.
  • Update plugins and themes: Make sure to regularly monitor and update your plugins and themes. Outdated elements are common targets for hackers due to known vulnerabilities. MalCare’s dashboard facilitates this by notifying you of outdated components, simplifying the update process and helping secure your site.
  • Refresh WordPress salts and security keys: This action forces all users to log out and terminates all active sessions, significantly enhancing security. MalCare integrates this step smoothly in its cleanup routine.
  • Audit user roles and permissions: Review all user roles and permissions for any discrepancies. If something doesn’t look right, promptly revoke access to mitigate risks.
  • Modify login credentials: Immediately update your admin password and ensure all accounts are logged out. Instruct users to reset their passwords, advocating for strong, new passwords in the process.
  • Boost login security: Implement two-factor authentication (2FA) and set limits on login attempts to diminish the likelihood of unauthorized access.
  • Continuous monitoring: Utilize MalCare’s monitoring capabilities to keep a vigilant watch over your site. It continually scans for suspicious activities, provides timely threat alerts, and consistently checks for malware, keeping your site safeguarded round the clock.

How does MalCare protect your site?

MalCare provides advanced security features for your WordPress site, ensuring thorough protection with its array of tools and capabilities like:

  • Rapid malware detection and removal: MalCare conducts daily scans of your site, actively searching for malware. When malware is detected, its robust removal tool swiftly eliminates the threat, restoring the health and security of your site.
  • Vulnerability alerts: Constantly vigilant, MalCare scans your plugins and themes for potential vulnerabilities. Upon detection of any issues, it immediately notifies you, enabling you to fortify your site’s defenses promptly.
  • Bot defense: MalCare recognizes the disruptive impact of bots on site performance and counters them with strong defensive measures to maintain smooth site operation.
  • Automated backups: MalCare’s automated, offsite backup system keeps your data safe, providing peace of mind with the ability to restore your site quickly if disaster strikes.

With MalCare’s comprehensive protective layer, your WordPress site benefits from both proactive and robust defenses, ensuring your online presence remains secure and uninterrupted.

Category:

Anurag Changmai

Anurag Changmai

Anurag traded algorithms for adverbs when he switched from being a software engineer to being a writer. Editor by day, he chases F1 by night!

Share it:

You may also like

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Clean your Site
Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.

Protect your Site