cbcvebase.
CVE-2023-0600
published 2023-05-15

CVE-2023-0600: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.23%
89.8th percentile
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.

Affected

1 ranges
VendorProductVersion rangeFixed in
codepressvisitor_statistics< 6.96.9

Detection & IOCsextracted from sources · hover to see the quote

commandsleep(6)
sigma
title: WP Visitor Statistics SQLi Detection
detection:
  selection:
    - 'status_code == 200'
    - 'contains(body, "sleep(6)")'
  condition: and
  • The vulnerability is exploitable by unauthenticated visitors — no authentication required. Monitor for SQL injection payloads (e.g., time-based blind SQLi using sleep()) in HTTP request/response bodies targeting WP Visitor Statistics plugin endpoints.
  • Detection rule triggers on HTTP 200 responses containing 'sleep(6)' in the body, indicating a successful time-based blind SQL injection probe against the plugin.
  • ·Affected versions are WP Visitor Statistics (Real Time Traffic) plugin versions before 6.9. Ensure version-scoping is applied when deploying detections to avoid false positives on patched installations.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.