SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin

On February 24th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an authenticated SQL Injection vulnerability in WP Activity Log Premium, a WordPress plugin with more than 20,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $400.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence reached out to Melapress on February 29, 2024 via their contact form. Since we did not receive a reply, we tried another contact method on March 27, 2024, and received a response on March 27, 2024. After providing full disclosure details, the developer released a patch on April 9, 2024. We would like to commend Melapress for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Activity Log Premium, which is version 4.6.4.1, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/400-bounty-awarded-for-sql-injection-vulnerability-patched-in-wp-activity-log-premium-wordpress-plugin

Posted in Vulnerability.