Main Vulnerability Database Vulnerabilities #VU53400

SQL injection in WP Statistics - CVE-2021-24340

Published: May 20, 2021

Vulnerability identifier: #VU53400

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2021-24340

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WP Statistics

Software vendor:
VeronaLabs

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "ID" and "type" input parameters in "esc_sql" function. A remote attacker can send a specially crafted request to the affected application and extract sensitive data from the site, such as user emails, password hashes, encryption keys and salts.

Remediation

Install updates from vendor's website.

External links

https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/

SQL injection in WP Statistics - CVE-2021-24340

Description

Remediation

External links

Please verify you're human