Login Sign Up

CVE-2023-4279

7.5 HIGH

📋 TL;DR

The User Activity Log WordPress plugin before version 1.6.7 insecurely retrieves client IP addresses from HTTP headers that can be manipulated by attackers. This allows malicious actors to spoof their IP addresses to hide the source of attacks or bypass IP-based restrictions. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • User Activity Log WordPress Plugin
Versions: All versions before 1.6.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

User Activity Log by Solwininfotech

View all CVEs affecting User Activity Log →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers completely hide their origin while conducting malicious activities like brute force attacks, content scraping, or reconnaissance, making attribution and blocking impossible.

🟠

Likely Case

Attackers spoof IP addresses to bypass IP-based rate limiting, access controls, or geographic restrictions, enabling continued malicious activity.

🟢

If Mitigated

With proper logging and monitoring of multiple authentication factors, spoofed IPs might be detected through behavioral anomalies despite the header manipulation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP header manipulation, which is trivial with standard tools like curl or proxies.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.7

Vendor Advisory: https://wpscan.com/vulnerability/2bd2579e-b383-4d12-b207-6fc32cfb82bc

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'User Activity Log' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.6.7+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Vulnerable Plugin

all

Temporarily deactivate the User Activity Log plugin until patched.

wp plugin deactivate user-activity-log

Implement Web Application Firewall

all

Configure WAF to validate and sanitize X-Forwarded-For and similar headers.

🧯 If You Can't Patch

  • Implement network-level IP filtering and monitoring instead of relying on plugin logs.
  • Use alternative user activity monitoring plugins that properly validate client IP addresses.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for User Activity Log version. If version is below 1.6.7, system is vulnerable.

Check Version:

wp plugin get user-activity-log --field=version

Verify Fix Applied:

Confirm plugin version is 1.6.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Multiple user activities from same user showing rapidly changing IP addresses
  • IP addresses in logs that don't match network traffic source IPs

Network Indicators:

  • HTTP requests with manipulated X-Forwarded-For, X-Real-IP, or Client-IP headers
  • Discrepancy between TCP source IP and logged IP in application

SIEM Query:

source="wordpress.log" "User Activity Log" | regex "IP\s*:\s*[^\s]+" | stats count by ip | where count>threshold

📊 Metadata

CVE ID: CVE-2023-4279
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: September 4, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON