Activity Log Plugin on WordPress HTTP Header X-Forwarded-For neutralization for logs
A vulnerability has been found in Activity Log Plugin on WordPress and classified as critical. This vulnerability affects unknown code of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to improper output neutralization for logs. Using CWE to declare the problem leads to CWE-117. The weakness was presented 11/11/2022. The advisory is shared for download at drive.google.com. This vulnerability was named CVE-2022-3941. The attack can be initiated remotely. Technical details are available. Furthermore, there is an exploit available. The exploit has been disclosed to the public and may be used. The current price for an exploit might be approx. USD $0-$5k at the moment. It is declared as proof-of-concept. It is possible to download the exploit at drive.google.com. As 0-day the estimated underground price was around $0-$5k. A possible mitigation has been published even before and not after the disclosure of the vulnerability.