Edwin Molenaar, July 2016

Cross-Site Scripting vulnerability in search function Activity Log WordPress Plugin


A Cross-Site Scripting vulnerability was found in the Activity Log WordPress Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.


For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.



Tested versions

This issue was successfully tested on Activity Log WordPress Plugin version 2.3.2.


This issue is fixed in Activity Log version 2.3.3


The Activity Log WordPress Plugin helps monitor & log all changes and activities on a WordPress site. A reflected Cross-Site Scripting vulnerability exists in the Activity Log WordPress plugin. This vulnerability allows an attacker to perform any action with the privileges of the target user.


The vulnerability exists in improper filtering of the search input parameter $search_data in the file aryo-activity-log/classes/class-aal-activity-log-list-table.php at line 483. The WordPress sanitize_text_field sanitizer is used, but this still allows us to use spaces, " and () to craft a Cross-Site Scripting payload.

public function search_box( $text, $input_id ) {
   $search_data = isset( $_REQUEST['s'] ) ? sanitize_text_field( $_REQUEST['s'] ) : '';
   $input_id = $input_id . '-search-input';
   <p class="search-box">
      <label class="screen-reader-text" for="<?php echo $input_id ?>"><?php echo $text; ?>:</label>
      <input type="search" id="<?php echo $input_id ?>" name="s" value="<?php echo $search_data; ?>" />
      <?php submit_button( $text, 'button', false, false, array('id' => 'search-submit') ); ?>

When a search on the activity log is preformed, a CSRF token is added to the URL, however it is not checked. Consequently, it can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement).

Proof of concept