WordPress Plugin Vulnerabilities

WP Statistics < 13.0.8 - Unauthenticated SQL Injection

Description

The plugin relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.

Proof of Concept

https://example.com/wp-admin/admin.php?page=wps_pages_page&ID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)&type=home

Affects Plugins

wp-statistics

Fixed in version 13.0.8

References

CVE

CVE-2021-24340

URL

https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/

URL

https://plugins.trac.wordpress.org/changeset/2503579/wp-statistics/trunk/includes/admin/pages/class-wp-statistics-admin-page-pages.php

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Ram Gall (Wordfence)

Verified

Yes

WPVDB ID

d2970cfb-0aa9-4516-9a4b-32971f41a19c

Timeline

Publicly Published

2021-05-19 (about 1 years ago)

Added

2021-05-19 (about 1 years ago)

Last Updated

2021-05-21 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin