CVE-2021-24750

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

EPSS 38.3%CWE-89

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Productos afectados

Unknown · WP Visitor Statistics (Real Time Traffic)

PoCs públicas encontradas — 2

cve_referencepacketstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlno verificado exploitdbwww.exploit-db.com/exploits/50619no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2622268 https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de