CVE-2021-24340
Summary
| CVE | CVE-2021-24340 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-07 11:15:00 UTC |
| Updated | 2021-06-14 17:47:00 UTC |
| Description | The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Veronalabs | Wp Statistics | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Over 600,000 Sites Impacted by WP Statistics Patch | MISC | www.wordfence.com | |
| Attention Required! | Cloudflare | CONFIRM | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Ram Gall (Wordfence)
Legacy QID Mappings
- 730091 WordPress WP Statistics Plugin SQL Injection Vulnerability