CVE-2024-2018 in WP Activity Log Premium Plugin
Summary
by MITRE • 04/09/2024
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. One demonstrated attack included the injection of a PHP Object.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The WP Activity Log Premium plugin represents a critical security vulnerability classified as CVE-2024-2018, which affects WordPress environments through a SQL injection flaw in versions up to and including 4.6.4. This vulnerability resides within the plugin's handling of the entry->roles parameter, demonstrating a fundamental failure in input validation and sanitization practices. The flaw allows authenticated attackers who possess subscriber-level privileges to manipulate database queries through crafted input, exploiting the insufficient escaping mechanisms that should have been implemented to protect against malicious data injection. The vulnerability directly maps to CWE-89, which specifically addresses SQL injection flaws where insufficient input escaping allows attackers to manipulate database queries through user-supplied data.
The technical exploitation of this vulnerability occurs through the manipulation of the entry->roles parameter, which serves as the attack vector for injecting malicious SQL code into existing database queries. When an authenticated subscriber submits malicious input through this parameter, the plugin fails to properly sanitize or prepare the data before incorporating it into SQL statements, creating a pathway for attackers to execute arbitrary database commands. The attack demonstrates particular sophistication in leveraging PHP object injection techniques, where attackers can embed serialized PHP objects that, when processed by the vulnerable plugin, can trigger unintended code execution. This approach enables attackers to bypass standard security controls and gain unauthorized access to database contents.
The operational impact of this vulnerability extends beyond simple data extraction to include potential full system compromise through the exploitation of PHP object injection mechanisms. Attackers can leverage the SQL injection to extract sensitive information from the WordPress database, including user credentials, session data, and other confidential information stored within the system. The ability to append additional SQL queries to existing database operations creates a persistent threat vector that can be used for extended reconnaissance and data exfiltration. This vulnerability particularly affects WordPress installations where the WP Activity Log Premium plugin is deployed, making it a significant concern for organizations that rely on this specific plugin for monitoring and logging activities.
Mitigation strategies for CVE-2024-2018 require immediate action including upgrading the WP Activity Log Premium plugin to version 4.6.5 or later, which contains the necessary patches to address the SQL injection vulnerability. Organizations should also implement additional security measures such as input validation at multiple layers, proper parameterization of database queries, and regular security auditing of WordPress plugins. The vulnerability highlights the importance of proper input sanitization and the need for comprehensive security testing of all user-supplied data within web applications. Security teams should monitor for exploitation attempts and consider implementing web application firewalls to detect and block malicious SQL injection patterns. This vulnerability demonstrates the critical importance of keeping WordPress plugins updated and following security best practices to prevent authenticated attackers from exploiting weaknesses in application code. The attack vector specifically targets the principle of least privilege, where a low-privilege user can escalate their access through database manipulation techniques that should have been prevented through proper security controls.