CVE-2021-24750

HIGH EXPLOITED IN THE WILD NUCLEI LAB

WP Visitor Statistics <4.8 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-24750 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including Ron Jost. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates SQL injection in WordPress Plugin WP Visitor Statistics 4.7 via the refUrl parameter in the refDetails AJAX action. It requires authentication and allows subscribers to execute arbitrary SQL commands.

Description

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Exploits (2)

exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/50619

This exploit demonstrates SQL injection in WordPress Plugin WP Visitor Statistics 4.7 via the refUrl parameter in the refDetails AJAX action. It requires authentication and allows subscribers to execute arbitrary SQL commands.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin WP Visitor Statistics <= 4.7
Auth required
Prerequisites: Valid WordPress credentials · Target running vulnerable plugin version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote-auth
https://github.com/fimtow/CVE-2021-24750

This repository contains a functional exploit for CVE-2021-24750, a SQL injection vulnerability in the WP Visitor Statistics plugin (versions <= 4.7). The exploit leverages improper sanitization of the 'refUrl' parameter in the 'refDetails' AJAX action, allowing authenticated users (even subscribers) to execute arbitrary SQL queries.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WP Visitor Statistics (WP Stats Manager) <= 4.7
Auth required
Prerequisites: WordPress installation with vulnerable plugin · Valid user credentials (subscriber role or higher) · Network access to WordPress admin-ajax.php endpoint
devstral-2 · analyzed Feb 26, 2026 Full analysis →

Nuclei Templates (1)

WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
HIGHby cckuakilong

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2622268

Scores

CVSS v3 8.8
EPSS 0.6433
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:apache
docker pull wordpress:cli

Details

VulnCheck KEV 2022-05-31
InTheWild.io 2022-05-31
CWE
CWE-89
Status published
Products (2)
codepress/visitor_statistics < 4.8
wp_visitor_statistics_\(real_time_traffic\)_project/wp_visitor_statistics_\(real_time_traffic\) < 4.8
Published Dec 21, 2021
Tracked Since Feb 18, 2026