CVE-2021-24750

HIGH EXPLOITED IN THE WILD NUCLEI LAB

WP Visitor Statistics <4.8 - SQL Injection

Title source: llm

Description

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Exploits (2)

exploitdb WORKING POC

by Ron Jost · pythonwebappsphp

https://www.exploit-db.com/exploits/50619

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

remote-auth

https://github.com/fimtow/CVE-2021-24750

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection

HIGHby cckuakilong

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.html

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset/2622268

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de

Scores

CVSS v3 8.8

EPSS 0.6951

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull wordpress:apache

docker pull wordpress:cli

https://github.com/fimtow/CVE-2021-24750

View in Library

Details

VulnCheck KEV 2022-05-31

InTheWild.io 2022-05-31

CWE

CWE-89

Status published

Products (2)

codepress/visitor_statistics < 4.8

wp_visitor_statistics_\(real_time_traffic\)_project/wp_visitor_statistics_\(real_time_traffic\) < 4.8

Published Dec 21, 2021

Tracked Since Feb 18, 2026