While scrutinizing the User Activity Tracking and Log plugin, a significant vulnerability was uncovered. This flaw allows an attacker to replace their actual IP address with any arbitrary IP address, specifically by adding a forged “X-Forwarded-For:” header to requests. This manipulation is evident in the activity log, such as during the creation of a new post.

Main info:

PluginUser Activity Tracking and Log < 4.1.4
All Time116 615
Active installations3 000+
Publicly PublishedJanuary 30, 2023
Last UpdatedJanuary 30, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A5: Broken Access Control
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0970
Plugin Security Certification by CleanTalk


January 11, 2023Plugin testing and vulnerability detection in the User Activity Tracking and Log have been completed
January 11, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
January 25, 2023The author fixed the vulnerability and released the plugin update
January 30, 2023Registered CVE-2024-0970

Discovery of the Vulnerability

During testing of the plugin, a vulnerability was discovered that allows you to replace your IP with any of the arbitrary IP addresses.

Understanding of IP Spoofing attack’s

IP Spoofing is a technique where an attacker sends IP packets from a false (or “spoofed”) source address to deceive recipients about the origin of the message. In WordPress, IP Spoofing can have severe consequences, especially when it comes to user activity tracking. Real-world examples could include an attacker forging their IP address to impersonate another user or to manipulate activity logs, as in the case of this plugin.

Exploiting the IP Spoofing Vulnerability

Exploiting the IP Spoofing vulnerability in the User Activity Tracking and Log plugin involves manipulating the X-Forwarded-For header. An attacker can send requests with a crafted header (e.g., “X-Forwarded-For:”) to make it appear as if the request is coming from a different IP address. This can lead to falsified entries in the activity log, creating a distorted view of user actions within the WordPress environment.


You should add X-Forwarded-For: to any request which will be in activity log. For example in creation of new post.

The potential risks associated with IP Spoofing in this context are substantial. An attacker, by successfully manipulating the IP address in the activity log, can potentially:

  • Conceal their Identity: The attacker can hide their true IP address, making it difficult to trace their activities back to a specific source.
  • Impersonate Users: By spoofing IP addresses associated with legitimate users, an attacker may impersonate others, leading to confusion and potential misuse.
  • Distort Activity Logs: The integrity of activity logs is compromised, making it challenging to accurately track user actions, detect anomalies, or conduct forensic analysis.

In a real-world scenario, an attacker might exploit this vulnerability to manipulate the perception of user activities, creating confusion and potentially evading detection.

Recommendations for Improved Security

  • Validate IP Addresses: Implement strict validation of IP addresses to ensure that only legitimate, unaltered IP addresses are accepted.
  • Use Secure Headers: Employ secure headers and mechanisms to ensure the integrity of HTTP headers, preventing manipulation.
  • Implement Session Management: Implement robust session management practices to enhance user identification and tracking.
  • Regular Security Audits: Conduct routine security audits to identify and address vulnerabilities, including those related to IP Spoofing.
  • Educate Users: Educate users about the importance of secure practices and the risks associated with IP Spoofing, encouraging vigilance and reporting of suspicious activities.

By incorporating these recommendations, the User Activity Tracking and Log plugin can bolster its security posture, thwart IP Spoofing attempts, and maintain the integrity of user activity logs in WordPress installations.

#WordPressSecurity #IPSpoofing #WebsiteSafety #StayProtected #MediumVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-0970 – User Activity Tracking and Log – IP Spoofing

Leave a Reply

Your email address will not be published. Required fields are marked *