CVE-2020-36716
First published: Wed Jun 07 2023(Updated: )
The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Melapress WP Activity Log | <=4.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID is CVE-2020-36716.
What is the vulnerability description?
The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1.
Is this vulnerability high severity?
Yes, this vulnerability has a severity keyword of high with a severity value of 7.3.
How can an attacker exploit this vulnerability?
An unauthenticated attacker can exploit this vulnerability by running the setup wizard if it has not been run previously and gain unauthorized access.
Are there any fixes or patches available for this vulnerability?
Yes, fixes for this vulnerability are available in versions after 4.0.1 of the WP Activity Log plugin for WordPress.
- agent/type
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wpwhitesecurity
- canonical/melapress wp activity log
- version/melapress wp activity log/4.0.1