CVE-2021-24750

WP Visitor Statistics (Real Time Traffic) < 4.8 - Subscriber+ SQL Injection

EPSS 38.3%CWE-89

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Produtos afetados

Unknown · WP Visitor Statistics (Real Time Traffic)

PoCs públicas encontradas — 2

cve_referencepacketstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlnão verificado exploitdbwww.exploit-db.com/exploits/50619não verificado

⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2622268 https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de