CVE-2021-24340

🗓️ 07 Jun 2021 10:49:50Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 8 Media mentions👁 207 Views🌐 WEB

The WP Statistics WordPress plugin before 13.0.8 is prone to SQL injection and unauthorized access

Reporter	Title	Published	Views	Family All 13
CNNVD	WordPress 插件SQL注入漏洞	20 May 202100:00	–	cnnvd
CNVD	WordPress plugin SQL injection vulnerability (CNVD-2021-44300)	25 May 202100:00	–	cnvd
Cvelist	CVE-2021-24340 WP Statistics < 13.0.8 - Unauthenticated SQL Injection	7 Jun 202110:49	–	cvelist
Dsquare	WordPress WP Statistics < 13.0.8 SQL Injection	12 Jun 202100:00	–	dsquare
Nuclei	WordPress Statistics <13.0.8 - Blind SQL Injection	29 May 202603:59	–	nuclei
NVD	CVE-2021-24340	7 Jun 202111:15	–	nvd
OpenVAS	WordPress WP Statistics Plugin < 13.0.8 SQLi Vulnerability	21 Feb 202200:00	–	openvas
Prion	Buffer overflow	7 Jun 202111:15	–	prion
RedhatCVE	CVE-2021-24340	22 May 202519:21	–	redhatcve
ThreatPost	WP Statistics Bug Lets Attackers Lift Sites’ Data	21 May 202117:30	–	threatpost

NVD

Vulners

Node

veronalabs wp_statisticsRange<13.0.8wordpress

[
  {
    "product": "WP Statistics",
    "vendor": "VeronaLabs",
    "versions": [
      {
        "lessThan": "13.0.8",
        "status": "affected",
        "version": "13.0.8",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wordfence	www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
wpscan	www.wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c

Parameter	Position	Path	Description	CWE
ID	query param	/wp-admin/admin.php?page=wps_pages_page&ID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))SQLi)&type=home	SQL injection vulnerability due to unprepared SQL concatenation and improper quoting in a WordPress plugin; also access control flaw exposing admin page to unauthenticated users.	CWE-89

21 Nov 2024 05:52Current

7.6High risk

Vulners AI Score7.6

CVSS 25

CVSS 3.17.5

EPSS0.83207

CWE-89

wp statistics wordpress plugin sql injection unauthorized access cve-2021-24340 nvd