I have the latest version of the plugin " Activity Log – Monitor & Record User Changes" installed on 15 sites.
The vulnerability checker tells me that the plugin is vulnerable on 14 of the 15 sites.
The message is as follows:
https://i.imgur.com/3PI3zfI.png
I have re-installed the plugin, and re-check, but same result
Thanks in advanced
Hey @suki
Which API are you using in the Vulnerability Checker Settings?
And can you please post the community system report from your MainWP Dashboard for review? The report is located in your Dashboard under Info → Server (your-mainwp-dashboard.com/wp-admin/admin.php?page=ServerInformation), on the top right of the page.
Be sure to use the button like the one below; this button hides all your private information:
Pressing the button auto-copies the report to your clipboard then just paste it in a reply here.
MainWP NVD
The results seem random.
Without updating anything, today, for example, that warning only appears on four websites (previously on 14), but now other warnings appear that did not appear yesterday, but with dates from several years ago!
https://i.imgur.com/DU2UJwB.png
FileSystem Method = direct direct Pass
MultiSite Disabled =true true Pass
WordPress Memory Limit >=64M 256M Pass
WordPress Version >=6.2 6.8.2 Pass
cURL Extension Enabled =true true Pass
cURL Timeout >=300 seconds 60 Warning
cURL Version >=7.29.0 7.76.1 Pass
Function tmpfile enabled N/A Enabled Pass
OpenSSL Version >=OpenSSL/1.1.0 OpenSSL/3.2.2 Pass
OpenSSL Working Status Yes Yes Pass
PCRE Backtracking Limit >=10000 1000000 Pass
PHP Allow URL fopen N/A YES
PHP Disabled Functions N/A No functions disabled.
PHP Exif Support N/A YES
PHP IPTC Support N/A YES
PHP Loaded Extensions N/A Core, PDO, PDO_ODBC, Phar, Reflection, SPL, SimpleXML, SourceGuardian, Zend OPcache, apcu, bcmath, bz2, calendar, ctype, curl, date, dba, dom, enchant, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, i360, iconv, imap, intl, ionCube Loader, json, ldap, libxml, litespeed, mbstring, mcrypt, memcached, monarxprotect, mongodb, mysqli, mysqlnd, odbc, openssl, pcntl, pcre, pdo_mysql, pdo_pgsql, pdo_sqlite, pdo_sqlsrv, pgsql, posix, pspell, random, readline, redis, session, shmop, snmp, soap, sockets, sodium, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tidy, timezonedb, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib
PHP Max Execution Time >=30 seconds 30 Pass
PHP Max Input Time >=30 seconds 60 Pass
PHP Memory Limit >=256M 512M Pass
PHP Post Max Size >=2M 1024M Pass
PHP Safe Mode Disabled =true true Pass
PHP Session enabled N/A Enabled Pass
PHP Upload Max Filesize >=2M 1024M Pass
PHP Version >=7.4 8.3.23 Pass
PHP XML Support N/A YES
SSL Extension Enabled =true true Pass
SSL Warnings = empty Pass
MySQL Client Encoding N/A utf8mb4
MySQL Mode N/A NO_ENGINE_SUBSTITUTION
MySQL Version >=5.0 10.11.13-MariaDB-cll-lve Pass
Accept Content text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Charset Content N/A
Architecture 64 bit
Gateway Interface
HTTPS ON
Memory Usage 7.05 MB
Operating System Linux
Request Time 1756303103
Server Protocol HTTP/1.1
Server self connect Not expected HTTP response body:
Server Software LiteSpeed
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Abandoned plugins/themes tolerance 365
Cache control enabled No
Enable Uptime Monitoring Yes
MainWP Dashboard Version Latest: 5.4.0.21 | Detected: 5.4.0.21 Pass
MainWP legacy backups enabled No
Maximum number of pages to return
Maximum number of posts to return
Maximum simultaneous install and update requests3
Maximum simultaneous requests 4
Maximum simultaneous requests per ip1
Maximum simultaneous sync requests 8
Maximum simultaneous uptime monitoring requests (Default: 10)10
Minimum delay between requests 200
Minimum delay between requests to the same ip1000
Number of connected sites 15
Optimize data loading Yes
Plugin advanced automatic updates enabledYes
Primary Backup System API Backups
REST API enabled No
Site health monitoring enabled Yes
Theme advanced automatic updates enabledNo
Use WP Cron No
WP Core advanced automatic updates enabledNo
Dashboard Lock 5.0.3 Active Pass
MainWP Bulk Settings Manager Extension5.0.4 Active Pass
MainWP Code Snippets Extension 5.0.4 Active Pass
MainWP Custom Dashboard Extension 5.0.1 Active Pass
MainWP Domain Monitor Extension 5.1.3 Active Pass
MainWP UpdraftPlus Extension 5.0.2 Active Pass
MainWP Vulnerability Checker Extension5.0.3 Active Pass
MainWP Dashboard 5.4.0.21 Active
mywpguru is fully automatically updated to the latest Active
Really Simple Security 9.5.0 Active
Redirection 5.5.2 Active
Thanks for the additional info.
I’ve reproduced this on my Dashboard and looked into it some more.
The spotty and variable detection is almost certainly due to the rate limits of the free NVD API.
In an upcoming version 5.1 of the Vulnerability Checker, we will add an option to enter a free NVD API key (which can be requested from NVD) in the add-on settings, which will significantly increase the rate limit.
The reason why the add-on is detecting this vulnerability at all is that NVD doesn’t have information about the version in which the issue was fixed.
You can check this yourself by loading this API call in the browser:
https://services.nvd.nist.gov/rest/json/cves/2.0?virtualMatchString=cpe:2.3:a:activity_log_project:activity_log:-:*:*:*:*:wordpress:*:*
This is the data that our add-on reads for this Activity Log plugin.
As you can see, the versionEndExcluding field, which indicates when a vuln was fixed, is missing for this particular CVE.
Since we are certain that this has been fixed in the latest version of the plugin which you’re using, you can Ignore it globally in the add-on.
I tried to dive into this as well and couldn’t find much information about version number, except I saw version 3.1 was still vulnerable. Only the reported plugin is only at 2.11.2. I also saw that the issues were for <=2.8.3 which is older than the current version. Nowhere was a clear link to the actual plugin. So I think either 2 plugins are mixed up or the version number compare is broken. In both cases this would be a false positive.
Hello,
Thank you both for taking the time to review this.
To clarify, here is a summary of the problem:
I will wait for the new NVD API that Bojan Katusic mentions to see if it solves the problem.
MainWP is only the messenger in this case, so maybe the NVD data has changed, maybe the queries of the data have changed or something like that.
I always want to know why something is different than I’d expect, but that might take some time. In the meantime I personally wouldn’t worry about this notification and ignore it for the time being as a false positive.
The upcoming changes to the add-on will help with vulnerability not being detected on some sites and with changes in detection, since both of those are due to the API rate limit being hit.
However, this is due to the incomplete data in the API response from NVD about this particular vulnerability.
Specifically, the NVD response doesn’t have information about when this particular vulnerability has been fixed. So naturally, our add-on has no option but to consider this an open vulnerability.
In such a case, the best option is to click Ignore Globally in the add-on to hide this detection.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.