// For flags

CVE-2021-25042

WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin

El plugin WP Visitor Statistics (Real Time Traffic) de WordPress versiones anteriores a 5.5, no presenta comprobaciones de autorización y CSRF en la acción AJAX updateIpAddress, permitiendo a cualquier usuario autenticado llamarla, o hacer que un usuario conectado lo haga por medio de un ataque de tipo CSRF y añada una dirección IP arbitraria para excluirla. Además, debido a una falta de comprobación, saneo y escape, los usuarios podrían establecer un valor malicioso y llevar a cabo ataques de tipo Cross-Site Scripting contra el administrador conectado.

*Credits: Krzysztof Zając
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-14 CVE Reserved
  • 2022-01-31 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-862: Missing Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Plugins-market
Search vendor "Plugins-market"
 Wp Visitor Statistics \(real Time Traffic\)
Search vendor "Plugins-market" for product "Wp Visitor Statistics \(real Time Traffic\)"
 < 5.5
Search vendor "Plugins-market" for product "Wp Visitor Statistics \(real Time Traffic\)" and version " < 5.5"
wordpress
Affected