Command Injection Vulnerability found in WordPress Plainview Activity Monitor v20161228 and Prior

A command injection vulnerability has been found in the renowned personal blogging and website creation management platform: WordPress. The vulnerability is found to exist in the Plainview Activity Monitor WordPress Plugin component, and it has been assigned a CVE identifier of CVE-2018-15877.

The command injection vulnerability found in the Plainview Activity Monitor plugin for WordPress renders it at severe risk of catering to a remote attacker executing commands on a hacked system from afar. The malicious commands injected throw unfit data into the stream of the service, particularly through the IP parameter and into the activities_overview.php.

This command injection vulnerability in the said component is not remotely exploitable on its own. Unfortunately, the same component plugin on WordPress suffers from two other vulnerabilities: a CSRF attack vulnerability, and a reflected cross site scripting vulnerability. When all three of these vulnerabilities work hand in hand to be exploited together, an attacker is able to remotely execute commands on another user’s system, granting undue and unauthorized access to the user’s private data.

According to the researched details released by WordPress, the vulnerability was first discovered on the 25th of August this year. A CVE identifier label was requested the very same day and then the vulnerability was reported to WordPress the following day as part of a mandatory vendor’s notice. WordPress was quick on its feet to release a new version for the component plug in, version 20180826. This new version is expected to resolve the vulnerability which was found to exist in versions 20161228 and older of the Plainview Activity Monitor plugin.

This vulnerability was thoroughly discussed and described in a post on GitHub where a proof of concept for the potential correlated exploit is also provided. To mitigate the risks posed, WordPress users are urged to update their systems to that the newest version of the Plainview Activity Monitor plugin is in use on their systems.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.

Expert Tip

Command Injection Vulnerability found in WordPress Plainview Activity Monitor v20161228 and Prior

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested