CVE-2023-0600
published 2023-05-15CVE-2023-0600: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.23%
89.8th percentile
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codepress | visitor_statistics | < 6.9 | 6.9 |
Detection & IOCsextracted from sources · hover to see the quote
commandsleep(6)
sigma
title: WP Visitor Statistics SQLi Detection
detection:
selection:
- 'status_code == 200'
- 'contains(body, "sleep(6)")'
condition: and- →The vulnerability is exploitable by unauthenticated visitors — no authentication required. Monitor for SQL injection payloads (e.g., time-based blind SQLi using sleep()) in HTTP request/response bodies targeting WP Visitor Statistics plugin endpoints. ↗
- →Detection rule triggers on HTTP 200 responses containing 'sleep(6)' in the body, indicating a successful time-based blind SQL injection probe against the plugin.
- ·Affected versions are WP Visitor Statistics (Real Time Traffic) plugin versions before 6.9. Ensure version-scoping is applied when deploying detections to avoid false positives on patched installations. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-455h-8qp6-7gm7: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6
ghsa_unreviewed·2023-05-15
CVE-2023-0600 [CRITICAL] CWE-89 GHSA-455h-8qp6-7gm7: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
VulnCheck
codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-0600 [CRITICAL] codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
codepress visitor_statistics Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.
Affected: codepress visitor_statistics
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2023-0600
No detection rules found.
Nuclei
WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-0600 [CRITICAL] WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
WP Visitor Statistics (Real Time Traffic) =6'
- 'status_code == 200'
- 'contains(body, "sleep(6)")'
condition: and
# digest: 4a0a00473045022059b1c36fc70fefdfc02daf2741d4a19c0ac462e611840cc46d798d54ca51e612022100e7aad0a900dc326fdaaa47824c14b9814c797af92f1113252692e3b7fdb53db2:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2023-05-15
Published
Exploited in the wild