CVE-2023-0600

CRITICAL EXPLOITED NUCLEI

WP Visitor Statistics < 6.9 - Unauthenticated SQL Injection

Title source: llm

Exploitation Summary

CVE-2023-0600 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.

Nuclei Templates (1)

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

CRITICALVERIFIEDby r3Y3r53,j4vaovo

Shodan: http.html:"wp-stats-manager"

FOFA: body="wp-stats-manager"

References (1)

Core 1

Core References

Exploit exploit vdb-entry technical-description

https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4

Scores

CVSS v3 9.8

EPSS 0.0423

EPSS Percentile 89.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-06-10

CWE

CWE-89

Status published

Products (2)

codepress/visitor_statistics < 6.9

plugins-market/wp_visitor_statistics < 6.9

Published May 15, 2023

Tracked Since Feb 18, 2026