CVE-2021-24750

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

El plugin WP Visitor Statistics (Real Time Traffic) de WordPress versiones anteriores a 4.8, no sanea y escapa correctamente de la refUrl en la acción refDetails AJAX, disponible para cualquier usuario autenticado, que podría permitir a usuarios con un rol tan bajo como el de suscriptor llevar a cabo ataques de inyección SQL

WordPress WP Visitor Statistics plugin versions 4.7 and below suffer from a remote SQL injection vulnerability.

*Credits: Krzysztof Zając

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-14 CVE Reserved
2021-12-21 CVE Published
2022-01-05 First Exploit
2024-08-03 CVE Updated
2024-11-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC
https://www.exploit-db.com/exploits/50619	2022-01-05
https://github.com/fimtow/CVE-2021-24750	2022-01-18
http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html	2024-08-03
https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de	2024-08-03

URL	Date	SRC
https://plugins.trac.wordpress.org/changeset/2622268	2022-08-04

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wp Visitor Statistics \(real Time Traffic\) Project Search vendor "Wp Visitor Statistics \(real Time Traffic\) Project"		Wp Visitor Statistics \(real Time Traffic\) Search vendor "Wp Visitor Statistics \(real Time Traffic\) Project" for product "Wp Visitor Statistics \(real Time Traffic\)"				< 4.8 Search vendor "Wp Visitor Statistics \(real Time Traffic\) Project" for product "Wp Visitor Statistics \(real Time Traffic\)" and version " < 4.8"		wordpress		Affected