cbcvebase.
CVE-2020-5766
published 2020-07-13

CVE-2020-5766: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a…

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.05%
92.5th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in SRS Simple Hits Counter Plugin for WordPress 1.0.3 and 1.0.4 allows a remote, unauthenticated attacker to determine the value of database fields.

Affected

2 ranges
VendorProductVersion rangeFixed in
srs_simple_hits_counter_projectsrs_simple_hits_counter
srs_simple_hits_counter_projectsrs_simple_hits_counter

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=srs_update_counter&post_id=1+and+1=0)+union+select+(select+if(ascii(substring((select+user_pass+from+wp_users+where+user_login=char(97,100,109,105,110)),%d,1))=%d,sleep(6),sleep(0))),1,1,1,1,1;--
path/wp-content/plugins/srs-simple-hits-counter/
path/wp-admin/admin-ajax.php
  • Detect exploitation attempts by monitoring HTTP GET requests to /wp-admin/admin-ajax.php with the query parameter action=srs_update_counter combined with SQL injection payloads in the post_id parameter (e.g., UNION SELECT, sleep(), ascii(), substring()).
  • Time-based blind SQLi detection: flag requests to the srs_update_counter action where the server response duration is >= 6 seconds, indicating a successful sleep() injection.
  • Identify vulnerable WordPress installations by detecting the presence of the plugin path /wp-content/plugins/srs-simple-hits-counter/ in HTTP response bodies.
  • The attack is unauthenticated and targets the AJAX endpoint via HTTP GET — no authentication cookies or nonces are required, making it detectable as anomalous unauthenticated access to admin-ajax.php with SQL-like patterns.
  • ·The publicwww-query fingerprint can be used to enumerate potentially vulnerable WordPress sites exposed on the internet, but presence of the plugin path alone does not confirm exploitation.
  • ·The vulnerability affects only plugin versions 1.0.3 and 1.0.4; detections should be scoped accordingly to reduce false positives on patched installations.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.