cbcvebase.
CVE-2021-24750
published 2021-12-21

CVE-2021-24750: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action…

PriorityP180high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.30%
98.4th percentile
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

Affected

1 ranges
VendorProductVersion rangeFixed in
codepressvisitor_statistics< 4.84.8

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' union select 1,1,md5(...),4-- "}
path/wp-admin/admin-ajax.php
  • Monitor for GET requests to /wp-admin/admin-ajax.php with the query parameter action=refDetails, particularly where the 'requests' parameter contains a JSON object with a 'refUrl' key holding SQL injection payloads (e.g., single quotes, UNION SELECT statements).
  • The exploit requires prior authentication (even as a low-privilege subscriber). Detect sequences of a POST to /wp-login.php immediately followed by a GET to /wp-admin/admin-ajax.php?action=refDetails from the same session/IP.
  • Alert on the AJAX action name 'refDetails' appearing in WordPress admin-ajax.php requests, as this is the specific vulnerable endpoint parameter used in exploitation.
  • Look for URL-encoded SQL injection patterns in the 'requests' parameter of admin-ajax.php calls, such as %27 (single quote), UNION, SELECT, or -- (comment sequences) within the refUrl JSON field.
  • ·The vulnerability is exploitable by any authenticated WordPress user, including those with the lowest role (subscriber). Detection rules should not be limited to admin-level sessions.
  • ·The SQL injection payload is delivered via a JSON-encoded GET parameter ('requests'), not a POST body. WAF or IDS rules must inspect GET query string parameters, including URL-decoded JSON values.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_oracle8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.