CVE-2021-24750

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

EPSS 38.3%CWE-89

Vexday Risk Score

50Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 38.3%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Lifecycle

21 Dec 2021Published on NVD

05 Jan 2022Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Affected products

Unknown · WP Visitor Statistics (Real Time Traffic)

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlunverified exploitdbwww.exploit-db.com/exploits/50619unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2622268 https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de