While scrutinizing the User Activity Tracking and Log plugin, a significant vulnerability was uncovered. This flaw allows an attacker to replace their actual IP address with any arbitrary IP address, specifically by adding a forged “X-Forwarded-For: 11.11.11.11” header to requests. This manipulation is evident in the activity log, such as during the creation of a new post.
Main info:
| CVE | CVE-2024-0970 |
| Plugin | User Activity Tracking and Log < 4.1.4 |
| Critical | Medium |
| All Time | 116 615 |
| Active installations | 3 000+ |
| Publicly Published | January 30, 2023 |
| Last Updated | January 30, 2023 |
| Researcher | Dmtirii Ignatyev |
| OWASP TOP-10 | A5: Broken Access Control |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0970 https://wpscan.com/vulnerability/7df6877c-6640-41be-aacb-20c7da61e4db |
| Plugin Security Certification by CleanTalk |  |
Timeline
| January 11, 2023 | Plugin testing and vulnerability detection in the User Activity Tracking and Log have been completed |
| January 11, 2023 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 25, 2023 | The author fixed the vulnerability and released the plugin update |
| January 30, 2023 | Registered CVE-2024-0970 |
Discovery of the Vulnerability
During testing of the plugin, a vulnerability was discovered that allows you to replace your IP with any of the arbitrary IP addresses.
Understanding of IP Spoofing attack’s
IP Spoofing is a technique where an attacker sends IP packets from a false (or “spoofed”) source address to deceive recipients about the origin of the message. In WordPress, IP Spoofing can have severe consequences, especially when it comes to user activity tracking. Real-world examples could include an attacker forging their IP address to impersonate another user or to manipulate activity logs, as in the case of this plugin.
Exploiting the IP Spoofing Vulnerability
Exploiting the IP Spoofing vulnerability in the User Activity Tracking and Log plugin involves manipulating the X-Forwarded-For header. An attacker can send requests with a crafted header (e.g., “X-Forwarded-For: 11.11.11.11”) to make it appear as if the request is coming from a different IP address. This can lead to falsified entries in the activity log, creating a distorted view of user actions within the WordPress environment.
POC:
You should add X-Forwarded-For: 11.11.11.11 to any request which will be in activity log. For example in creation of new post.
The potential risks associated with IP Spoofing in this context are substantial. An attacker, by successfully manipulating the IP address in the activity log, can potentially:
- Conceal their Identity: The attacker can hide their true IP address, making it difficult to trace their activities back to a specific source.
- Impersonate Users: By spoofing IP addresses associated with legitimate users, an attacker may impersonate others, leading to confusion and potential misuse.
- Distort Activity Logs: The integrity of activity logs is compromised, making it challenging to accurately track user actions, detect anomalies, or conduct forensic analysis.
In a real-world scenario, an attacker might exploit this vulnerability to manipulate the perception of user activities, creating confusion and potentially evading detection.
Recommendations for Improved Security
- Validate IP Addresses: Implement strict validation of IP addresses to ensure that only legitimate, unaltered IP addresses are accepted.
- Use Secure Headers: Employ secure headers and mechanisms to ensure the integrity of HTTP headers, preventing manipulation.
- Implement Session Management: Implement robust session management practices to enhance user identification and tracking.
- Regular Security Audits: Conduct routine security audits to identify and address vulnerabilities, including those related to IP Spoofing.
- Educate Users: Educate users about the importance of secure practices and the risks associated with IP Spoofing, encouraging vigilance and reporting of suspicious activities.
By incorporating these recommendations, the User Activity Tracking and Log plugin can bolster its security posture, thwart IP Spoofing attempts, and maintain the integrity of user activity logs in WordPress installations.
#WordPressSecurity #IPSpoofing #WebsiteSafety #StayProtected #MediumVulnerability
Use CleanTalk solutions to improve the security of your website
DMITRII I.
