CVE-2021-24750

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

EPSS 38.3%CWE-89

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Affected products

Unknown · WP Visitor Statistics (Real Time Traffic)

public PoCs found — 2

cve_referencepacketstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlunverified exploitdbwww.exploit-db.com/exploits/50619unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2622268 https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de