Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24340 — SQL Injection in WP Statistics

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

83.2%

top 0.73%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Veronalabs WP Statistics

Timeline

PublishedJun 7

Latest updateMay 24

Description

The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5veronalabs/wp_statistics13.0.8 — 13.0.8

▶NVDveronalabs/wp_statistics< 13.0.8

🔴Vulnerability Details

GHSA

GHSA-9mj4-xv45-qwq2: The WP Statistics WordPress plugin before 13↗2022-05-24

▶

CVEList

WP Statistics < 13.0.8 - Unauthenticated SQL Injection↗2021-06-07

▶

💥Exploits & PoCs

Nuclei

WordPress Statistics <13.0.8 - Blind SQL Injection

▶