CVE-2020-36716 – The WP Activity Log plugin for WordPress has an... (How to Fix)

📋 TL;DR

The WP Activity Log plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to run the plugin's setup wizard and access configuration options. This affects all WordPress sites using WP Activity Log version 4.0.1 or earlier where the setup wizard hasn't been completed.

💻 Affected Systems

Products:

WP Activity Log (formerly WP Security Audit Log)

Versions: Up to and including 4.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if the setup wizard hasn't been run previously. WordPress multisite installations may have different impact.

📦 What is this software?

Wp Activity Log by Wpwhitesecurity

View all CVEs affecting Wp Activity Log →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could reconfigure the plugin to disable security logging, modify audit settings, or potentially chain with other vulnerabilities to gain administrative access.

🟠

Likely Case

Attackers could disable security auditing functionality, preventing detection of other malicious activities on the WordPress site.

🟢

If Mitigated

If the setup wizard was already completed before exploitation attempts, the vulnerability has no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a simple HTTP request to the vulnerable endpoint. No authentication or special conditions needed beyond the setup wizard not being completed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2252006

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Activity Log
4. Click 'Update Now' if available
5. If no update available, download version 4.0.2+ from WordPress.org
6. Upload and replace the plugin files

🔧 Temporary Workarounds

Complete Setup Wizard

all

Manually run the setup wizard to make the vulnerable endpoint inaccessible

Navigate to /wp-admin/admin.php?page=wsal-setup in your WordPress admin

Block Vulnerable Endpoint

linux

Use web application firewall or .htaccess to block access to the setup endpoint

# Add to .htaccess:
RewriteEngine On
RewriteRule ^wp-content/plugins/wp-security-audit-log/classes/Views/Setup.*$ - [F,L]

🧯 If You Can't Patch

Complete the plugin setup wizard immediately to remove the vulnerable state
Temporarily disable the WP Activity Log plugin until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check if /wp-content/plugins/wp-security-audit-log/classes/Views/Setup.php exists and if the plugin version is 4.0.1 or lower in WordPress admin → Plugins

Check Version:

grep -r "Version:" /path/to/wordpress/wp-content/plugins/wp-security-audit-log/wp-security-audit-log.php | head -1

Verify Fix Applied:

Verify plugin version is 4.0.2 or higher in WordPress admin → Plugins, and attempt to access /wp-admin/admin.php?page=wsal-setup without authentication (should be blocked)

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to /wp-admin/admin-ajax.php with action=wsal_setup
Access to /wp-admin/admin.php?page=wsal-setup from unauthenticated users
Sudden changes to WP Activity Log configuration without admin activity

Network Indicators:

HTTP requests to setup-related endpoints from external IPs without authentication cookies

SIEM Query:

source="web_access_logs" AND (uri_path="/wp-admin/admin.php" AND query_string="page=wsal-setup" AND NOT user_agent="WordPress/*")

📊 Metadata

CVE ID: CVE-2020-36716

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-862

Published: June 7, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36716, you might also want to check these: