CVE-2021-24750
published 2021-12-21CVE-2021-24750: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action…
PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.30%
98.4th percentile
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codepress | visitor_statistics | < 4.8 | 4.8 |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' union select 1,1,md5(...),4-- "}↗
- →Monitor for GET requests to /wp-admin/admin-ajax.php with the query parameter action=refDetails, particularly where the 'requests' parameter contains a JSON object with a 'refUrl' key holding SQL injection payloads (e.g., single quotes, UNION SELECT statements). ↗
- →The exploit requires prior authentication (even as a low-privilege subscriber). Detect sequences of a POST to /wp-login.php immediately followed by a GET to /wp-admin/admin-ajax.php?action=refDetails from the same session/IP. ↗
- →Alert on the AJAX action name 'refDetails' appearing in WordPress admin-ajax.php requests, as this is the specific vulnerable endpoint parameter used in exploitation. ↗
- →Look for URL-encoded SQL injection patterns in the 'requests' parameter of admin-ajax.php calls, such as %27 (single quote), UNION, SELECT, or -- (comment sequences) within the refUrl JSON field. ↗
- ·The vulnerability is exploitable by any authenticated WordPress user, including those with the lowest role (subscriber). Detection rules should not be limited to admin-level sessions. ↗
- ·The SQL injection payload is delivered via a JSON-encoded GET parameter ('requests'), not a POST body. WAF or IDS rules must inspect GET query string parameters, including URL-decoded JSON values. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_oracle8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p934-c89c-rc2m: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4
ghsa_unreviewed·2021-12-22
CVE-2021-24750 [HIGH] CWE-89 GHSA-p934-c89c-rc2m: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
VulnCheck
codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-24750 [HIGH] codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
Affected: codepress visitor_statistics
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-security-trends-cross-site-scripting/
Exploit PoC: https://vulncheck.com/xdb/687ae0b268c6
Oracle
Oracle Oracle Communications Risk Matrix: Security (jackson-databind) — CVE-2020-24750
vendor_oracle·2021-10-15·CVSS 8.1
CVE-2020-24750 [HIGH] Oracle Oracle Communications Risk Matrix: Security (jackson-databind) — CVE-2020-24750
Oracle Oracle Communications Risk Matrix: Security (jackson-databind) vulnerability
CVE: CVE-2020-24750
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2021 (OCT 2021)
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Onboarding (jackson-databind) — CVE-2020-24750
vendor_oracle·2021-07-15·CVSS 8.1
CVE-2020-24750 [HIGH] Oracle Oracle Financial Services Applications Risk Matrix: Onboarding (jackson-databind) — CVE-2020-24750
Oracle Oracle Financial Services Applications Risk Matrix: Onboarding (jackson-databind) vulnerability
CVE: CVE-2020-24750
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Oracle
Oracle Oracle Communications Applications Risk Matrix: Event Reminders (jackson-databind) — CVE-2020-24750
vendor_oracle·2021-04-15·CVSS 8.1
CVE-2020-24750 [HIGH] Oracle Oracle Communications Applications Risk Matrix: Event Reminders (jackson-databind) — CVE-2020-24750
Oracle Oracle Communications Applications Risk Matrix: Event Reminders (jackson-databind) vulnerability
CVE: CVE-2020-24750
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2021 (APR 2021)
Oracle
Oracle Oracle Communications Risk Matrix: IDIH (jackson-databind) — CVE-2020-24750
vendor_oracle·2021-01-15·CVSS 8.1
CVE-2020-24750 [HIGH] Oracle Oracle Communications Risk Matrix: IDIH (jackson-databind) — CVE-2020-24750
Oracle Oracle Communications Risk Matrix: IDIH (jackson-databind) vulnerability
CVE: CVE-2020-24750
CVSS: 8.1
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2021 (JAN 2021)
No detection rules found.
Exploit-DB
WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
exploitdb·2022-01-05·CVSS 8.8
CVE-2021-24750 [HIGH] WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
---
# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
# Date 22/12/2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.plugins-market.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
# Version: <= 4.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24750
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md
'''
Description:
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
available to any authenticated user, which could allow users with a role as low as
subscriber to perform SQL injection attacks
'''
# Banner:
banner = '''
___ _ _ ____ ___ ___
Nuclei
WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
nuclei·CVSS 8.8
CVE-2021-24750 [HIGH] WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
Template:
id: CVE-2021-24750
info:
name: WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
author: cckuakilong
severity: high
description: WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
imp
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/changeset/2622268https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620dehttp://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-SQL-Injection.htmlhttps://plugins.trac.wordpress.org/changeset/2622268https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
2021-12-21
Published
Exploited in the wild