Vulnerability Description
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codepress | Visitor Statistics | < 4.8 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-ExploitThird Party AdvisoryVDB Entry
- https://plugins.trac.wordpress.org/changeset/2622268PatchThird Party Advisory
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620deExploitThird Party Advisory
- http://packetstormsecurity.com/files/165433/WordPress-WP-Visitor-Statistics-4.7-ExploitThird Party AdvisoryVDB Entry
- https://plugins.trac.wordpress.org/changeset/2622268PatchThird Party Advisory
- https://wpscan.com/vulnerability/7528aded-b8c9-4833-89d6-9cd7df3620deExploitThird Party Advisory
FAQ
What is CVE-2021-24750?
CVE-2021-24750 is a vulnerability with a CVSS score of 8.8 (HIGH). The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which cou...
How severe is CVE-2021-24750?
CVE-2021-24750 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24750?
Check the references section above for vendor advisories and patch information. Affected products include: Codepress Visitor Statistics.