User Activity Log WordPress Plugin Unauthenticated Arbitrary Option Update Vulnerability

A vulnerability exists in the User Activity Log WordPress plugin, affecting versions through 2.2. The issue arises because the plugin does not properly manage failed login attempts in certain situations. This flaw allows unauthenticated users to arbitrarily modify specific options, such as enabling User Registration when it has been disabled.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in WordPress settings, such as enabling user registration features without proper authorization.

Reproduction

To reproduce this vulnerability, first set the 'Keep Failed Login Logs' option to 'Keep' (the default setting) and adjust the 'Number of failed login for non existing user' to '1' through the plugin's settings. Once these configurations are in place, an unauthenticated user can send a POST request to 'wp-login.php' with the 'log' parameter set to 'users_can_register' and the 'pwd' parameter set to anything. This action will enable the User Registration option if it was previously turned off.