SQL Injection in Veronalabs Wp Statistics
CVE-2021-24340
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query. Additionally, the page, which should have been accessible to administ…
Vulnerability class: SQL Injection
EPSS: 0.832 (99.3th percentile) — read the EPSS interpretation.
Affected products
- Veronalabs Wp Statistics — versions 13.0.8
Weakness classification (CWE)
Public proof-of-concept exploits
References
- wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c (x_refsource_CONFIRM)
- www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patc… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2021-24340?
- CVE-2021-24340 is a vulnerability in Veronalabs Wp Statistics, classified under SQL Injection. Published 2021-06-07.
- Is CVE-2021-24340 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.