Home

Description

This User Activity Tracking and Log WordPress plugin before 4.1.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.

PUBLISHED Reserved 2024-01-26 | Published 2025-05-15 | Updated 2025-11-13 | Assigner WPScan

Problem types

CWE-290 Authentication Bypass by Spoofing

Product status

Default status
unaffected

Any version before 4.1.4
affected

Credits

Dmitrii Ignatyev finder

WPScan coordinator

References

wpscan.com/...rability/7df6877c-6640-41be-aacb-20c7da61e4db/ exploit vdb-entry technical-description

cve.org (CVE-2024-0970)

nvd.nist.gov (CVE-2024-0970)

Download JSON