Every additional plugin that you add to your WordPress website adds additional security risk, that includes security plugins. Recently we did a quick check over plugins designed to allow you to keep track actions taken by users on your website. In several of cases we found rather minor security vulnerabilities. One of those was an authenticated information disclosure vulnerability in the plugin Activity Log, which allows anyone logged in to WordPress to see the display name of other users on the website (which would normally be their first and last names), their role, and their user ID number. The value of that information would depend on if the users’ names was something that some would rather not be public and if there was some possibility that the information could be used to assist a malicious attacker in gaining further access to the website.

The vulnerability is due to the AJAX accessible function ajax_aal_get_properties(), in the file /classes/class-aal-settings.php, not having a check to make sure that the request is coming from a user who should be able to access to it (normally that would only be Administrator level users): [Read more]