Vulnerability Description
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | < 13.0.8 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19cExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistiExploitThird Party Advisory
- https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19cExploitThird Party Advisory
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistiExploitThird Party Advisory
FAQ
What is CVE-2021-24340?
CVE-2021-24340 is a vulnerability with a CVSS score of 7.5 (HIGH). The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which ...
How severe is CVE-2021-24340?
CVE-2021-24340 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24340?
Check the references section above for vendor advisories and patch information. Affected products include: Veronalabs Wp Statistics.