WP Statistics < 13.0.8 – Unauthenticated SQL Injection | CVE 2021-24340

Description

The plugin relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wps_pages_page&ID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)&type=home

Affects Plugins

wp-statistics

Fixed in 13.0.8

References

CVE

CVE-2021-24340

URL

https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/

URL

https://plugins.trac.wordpress.org/changeset/2503579/wp-statistics/trunk/includes/admin/pages/class-wp-statistics-admin-page-pages.php

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Ram Gall (Wordfence)

Verified

Yes

WPVDB ID

d2970cfb-0aa9-4516-9a4b-32971f41a19c

Timeline

Publicly Published

2021-05-19 (about 4 years ago)

Added

2021-05-19 (about 4 years ago)

Last Updated

2021-05-21 (about 4 years ago)

Other

Published

Title

Published

2025-01-23

Title

Simple Downloads List < 1.4.3 - Authenticated (Contributor+) SQL Injection

Published

2025-12-01

Title

VikRentCar Car Rental Management System < 1.4.5 - Authenticated (Author+) SQL Injection via 'month' Parameter

Published

2025-10-30

Title

Attention Bar <= 0.7.2.1 - Contributor+ SQLi

Published

2025-07-08

Title

Pakke Envíos <= 1.0.2 - Authenticated (Subscriber+) SQL Injection

Published

2022-05-09

Title

amtyThumb <= 4.2.0 - Subscriber+ SQLi