CVE-2021-24750
Summary
| CVE | CVE-2021-24750 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-21 09:15:00 UTC |
| Updated | 2022-08-04 16:19:00 UTC |
| Description | The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Plugins-market | Wp Visitor Statistics Real Time Traffic | All | All | All | All |
| Application | Wp Visitor Statistics Real Time Traffic Project | Wp Visitor Statistics Real Time Traffic | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress WP Visitor Statistics 4.7 SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| 403 Forbidden | CONFIRM | plugins.trac.wordpress.org | |
| Attention Required! | Cloudflare | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Krzysztof Zając
There are currently no legacy QID mappings associated with this CVE.