Login Sign Up

CVE-2023-5133

7.5 HIGH

📋 TL;DR

The user-activity-log-pro WordPress plugin before version 2.3.4 insecurely retrieves client IP addresses from HTTP headers that can be manipulated by attackers. This allows malicious actors to spoof their IP addresses to hide the source of attacks or bypass IP-based restrictions. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • user-activity-log-pro WordPress plugin
Versions: All versions before 2.3.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin active.

📦 What is this software?

User Activity Log by Solwininfotech

View all CVEs affecting User Activity Log →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers completely hide their identity while conducting malicious activities like brute force attacks, content scraping, or reconnaissance, making attribution and blocking impossible.

🟠

Likely Case

Attackers spoof IP addresses to bypass IP-based rate limiting, access controls, or geographic restrictions, enabling continued malicious activity.

🟢

If Mitigated

With proper logging and monitoring, spoofed IPs might be detected through pattern analysis, but attribution remains difficult.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests with spoofed headers, which is trivial with standard tools like curl or Burp Suite.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.4

Vendor Advisory: https://wpscan.com/vulnerability/36c30e54-75e4-4df1-b01a-60c51c0e76a3

Restart Required: No

Instructions:

1. Log into WordPress admin dashboard. 2. Navigate to Plugins > Installed Plugins. 3. Find 'User Activity Log Pro' and check if version is below 2.3.4. 4. Click 'Update Now' if available, or manually update via FTP/SSH by replacing plugin files with version 2.3.4+.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the user-activity-log-pro plugin until patched.

wp plugin deactivate user-activity-log-pro

Web server IP filtering

linux

Configure web server (Apache/Nginx) to ignore or sanitize X-Forwarded-For and similar headers.

# Apache: SetEnvIf X-Forwarded-For ".*" fake_ip
# Nginx: proxy_set_header X-Forwarded-For $remote_addr;

🧯 If You Can't Patch

  • Implement network-level IP filtering and rate limiting using WAF or firewall rules.
  • Deploy additional logging and monitoring to detect anomalous IP patterns or spoofing attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin dashboard > Plugins > Installed Plugins for 'User Activity Log Pro' version. If version is below 2.3.4, it's vulnerable.

Check Version:

wp plugin get user-activity-log-pro --field=version

Verify Fix Applied:

After update, confirm plugin version shows 2.3.4 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests from same user agent with rapidly changing IP addresses
  • IP addresses in logs that don't match network topology (e.g., internal IPs from external sources)

Network Indicators:

  • HTTP requests containing X-Forwarded-For, X-Real-IP, or similar headers with suspicious values

SIEM Query:

source="wordpress.log" AND "user-activity-log-pro" AND ("X-Forwarded-For" OR "X-Real-IP") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-5133
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: October 16, 2023
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON