CVE-2018-8719
Description
An issue was discovered in the WP Security Audit Log plugin 3.1.1 for WordPress. Access to wp-content/uploads/wp-security-audit-log/* files is not restricted. For example, these files are indexed by Google and allows for attackers to possibly find sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP Security Audit Log plugin ≤3.1.1 stores sensitive audit logs in a publicly accessible web directory, exposing user information like failed login details.
Vulnerability
The WP Security Audit Log plugin for WordPress, version 3.1.1 and earlier, writes security audit log files to the wp-content/uploads/wp-security-audit-log/ directory. The web server does not restrict access to this directory, allowing anyone to read the log files via a direct URL request [1]. The logs include failed login attempts and other user-related data; the code in LogInOut.php creates a failed-logins/ subdirectory, and System.php logs 404 requests along with user details [1].
Exploitation
An attacker can access the logs simply by navigating to the exposed URL pattern (e.g., /wp-content/uploads/wp-security-audit-log/failed-logins/) using any browser. The files are indexed by search engines; the exploit-db entry provides a Google dork (inurl:/wp-content/uploads/wp-security-audit-log/) to locate vulnerable sites [1]. No authentication or special privileges are required, as the logs are world-readable [1].
Impact
Successful exploitation allows an attacker to read sensitive information such as usernames involved in failed login attempts, IP addresses, and timestamps. This data aids in reconnaissance for further attacks, including targeted credential brute-forcing or account enumeration. The vulnerability is classified as information disclosure with no direct code execution, but it significantly weakens the overall security posture of the WordPress site.
Mitigation
The WP Security Audit Log plugin version 3.2.0 (released March 21, 2018) fixes the issue by restricting access to the logs directory, typically via an .htaccess file added during update [1]. Users should immediately update to at least version 3.2.0. For sites still running 3.1.1 and unable to upgrade, manually deny web access to /wp-content/uploads/wp-security-audit-log/ (e.g., with a server rule). No known KEV listing exists at this time.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 3.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control on the wp-content/uploads/wp-security-audit-log/ directory allows unauthenticated reading of sensitive log files."
Attack vector
An attacker can directly request any file under `wp-content/uploads/wp-security-audit-log/` because the plugin does not restrict access to that directory [ref_id=1]. Since these files are indexed by search engines (Google dork: `inurl:/wp-content/uploads/wp-security-audit-log/`), an attacker can discover them without any authentication [ref_id=1]. The files contain sensitive information such as usernames from failed login attempts, which can be used to enumerate valid accounts or aid in brute-force attacks [ref_id=1].
Affected code
The plugin stores sensitive log files under `wp-content/uploads/wp-security-audit-log/`, specifically failed-login records in `/wp-security-audit-log/failed-logins/` and 404-user tracking in `/wp-security-audit-log/404s/users/` [ref_id=1]. The code in `LogInOut.php` and `System.php` creates these directories using `wp_upload_dir()` but does not place any access control on the resulting files [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation is to restrict access to the `wp-content/uploads/wp-security-audit-log/` directory, for example by placing an `.htaccess` file that denies all requests or by moving the log storage outside the web-accessible uploads folder [ref_id=1]. No official fix is shown in the provided materials; the vulnerability affects plugin version 3.1.1 and earlier [ref_id=1].
Preconditions
- configThe WP Security Audit Log plugin version <= 3.1.1 must be installed and active on a WordPress site.
- networkThe attacker must be able to make HTTP requests to the WordPress site's uploads directory (no authentication required).
- inputThe plugin must have generated log files under wp-content/uploads/wp-security-audit-log/ (e.g., failed-login records).
Reproduction
1. Identify a WordPress site running WP Security Audit Log plugin version 3.1.1 or earlier. 2. Use a search engine with the dork `inurl:/wp-content/uploads/wp-security-audit-log/` or directly browse to `https://target/wp-content/uploads/wp-security-audit-log/failed-logins/`. 3. List the directory contents (if directory listing is enabled) or guess filenames to retrieve log files containing failed-login usernames and timestamps [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.exploit-db.com/exploits/44371/mitreexploitx_refsource_EXPLOIT-DB
News mentions
0No linked articles in our index yet.