CVE-2021-24340
Last modified
CVE-2021-24340 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.. EPSS estimates a 26.93% chance of exploitation in the next 30 days.
Description
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administrator only, was also available to any visitor, including unauthenticated ones.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | < 13.0.8 |
References
- https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19cExploit, Third Party Advisory
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/Exploit, Third Party Advisory
- https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19cExploit, Third Party Advisory
- https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-24340?
How severe is CVE-2021-24340?
How do I fix CVE-2021-24340?
Are you affected by CVE-2021-24340?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST