WP Activity Log - Insecure deserialization
Summary
Name | WP Activity Log 5.2. - Insecure deserialization |
Code name | skims-9 |
Product | WP Activity Log |
Affected versions | Version 5.2. |
State | Private |
Release date | 2025-01-03 |
Vulnerability
Kind | Insecure deserialization |
Rule | Insecure deserialization |
Remote | No |
CVSSv4 Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U |
Exploit available | No |
CVE ID(s) | cve-2020-2020 |
Description
WP Activity Log 5.2. was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.p hp.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in WP Activity Log 5.2.. The following is the output of the tool:
Skims output
228 | public static function write_csv_ajax() {
229 | if ( ! array_key_exists( 'nonce', $_POST ) || ! wp_verify_nonce( $_POST['nonce'], 'wsal-export-csv-nonce' ) ) { // php
230 | wp_send_json_error( esc_html_e( 'nonce is not provided or incorrect', 'wp-security-audit-log' ) );
231 | die();
232 | }
233 |
234 | if ( ! array_key_exists( 'query', $_POST ) ) {
235 | wp_send_json_error( esc_html_e( 'query is not provided or incorrect', 'wp-security-audit-log' ) );
236 | die();
237 | } else {
> 238 | $query = unserialize( ase64_decode( \sanitize_text_field( \wp_unslash( $_POST['query'] ) ) ) );
239 | }
240 |
241 | if ( ! array_key_exists( 'order', $_POST ) ) {
242 | wp_send_json_error( esc_html_e( 'order is not provided or incorrect', 'wp-security-audit-log' ) );
243 | die();
244 | }
245 |
246 | if ( ! array_key_exists( 'step', $_POST ) ) {
247 | wp_send_json_error( esc_html_e( 'step is not provided or incorrect', 'wp-security-audit-log' ) );
248 | die();
^ Col 0
Our security policy
We have reserved the ID cve-2020-2020 to refer to this issue from now on.
System Information
- Version: WP Activity Log
5.2.
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team using Skims
Timeline
2025-01-03
Vulnerability discovered.
2025-01-03
Vendor contacted.