CVE-2021-24340

HIGH NUCLEI

Veronalabs WP Statistics < 13.0.8 - SQL Injection

Title source: rule

Description

The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.

Nuclei Templates (1)

WordPress Statistics <13.0.8 - Blind SQL Injection

HIGHby lotusdll,j4vaovo

Shodan: http.html:/wp-content/plugins/wp-statistics/

FOFA: body=/wp-content/plugins/wp-statistics/

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/

Scores

CVSS v3 7.5

EPSS 0.8321

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (1)

veronalabs/wp_statistics < 13.0.8

Published Jun 07, 2021

Tracked Since Feb 18, 2026