CVE-2021-24340
published 2021-06-07CVE-2021-24340: The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare…
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
26.93%
97.8th percentile
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| veronalabs | wp_statistics | < 13.0.8 | 13.0.8 |
| veronalabs | wp_statistics | >= 13.0.8 < 13.0.8 | 13.0.8 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
- 'status_code_2 == 500' - 'contains(body_2, ">WordPress › ErrorYour request is not valid.<")' condition: and
- →Vulnerable versions of WP Statistics are before 13.0.8; probe responses returning HTTP 500 with the WordPress error body string '>WordPress › ErrorYour request is not valid.<' are indicative of a successful SQLi trigger against the unauthenticated statistics endpoint.
- →The vulnerable page was accessible to any visitor including unauthenticated ones, so SQLi attempts against the WP Statistics endpoint should be monitored in web server logs regardless of authentication state. ↗
- →The injection point is a field not delimited by quotes and not first prepared via a parameterized query — look for unquoted numeric parameter manipulation (e.g., appended SQL keywords or arithmetic) in HTTP requests to WP Statistics pages. ↗
- →Nuclei template fingerprint for this CVE uses the payload pattern 'WordPress Statistics =7'' as part of the detection matcher.
- ·The SQLi is only exploitable on WP Statistics versions strictly before 13.0.8; version 13.0.8 and later are patched. ↗
- ·The detection rule requires BOTH a 500 status code AND the specific WordPress error string in the response body — both conditions must be true simultaneously (condition: and).
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Statistics <13.0.8 - Blind SQL Injection
nuclei·CVSS 7.5
CVE-2021-24340 [HIGH] WordPress Statistics <13.0.8 - Blind SQL Injection
WordPress Statistics =7'
- 'status_code_2 == 500'
- 'contains(body_2, ">WordPress › ErrorYour request is not valid.<")'
condition: and
# digest: 490a0046304402202f6e2754f5404f8981df753f8219e7def6f35b59cb1c95f84d6ae089aa58649b02204bd2d62573d6c84625f6febb4cf66e16d42e7ea5a36ca095ff028f67ca2ebf02:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19chttps://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19chttps://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
2021-06-07
Published