Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
blind SQLi vulnerability in WP Statistics plugin News blind SQLi vulnerability in WP Statistics plugin
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 05-21-2021, 11:01 PM   #1
carolwebb
Confirmed User
 
Industry Role:
Join Date: Jan 2020
Posts: 221
blind SQLi vulnerability in WP Statistics plugin
https://portswigger.net/daily-swig/w...tistics-plugin


Quote:
WP Statistics, a popular web analytics plugin for WordPress, contained a time-based blind SQL injection vulnerability that, if exploited, could result in sensitive information being exfiltrated from a site’s database.


The nature of the high severity (CVSS score 7.5) pre-authenticated vulnerability (CVE-2021-24340) means “exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records”, said Ram Gall, threat analyst and QA engineer at WordPress security platform Wordfence, in a blog post published on Tuesday (May 18).
Quote:
Although the function is supposed to be restricted to administrators, “it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page”, continued the threat analyst.

“Since the SQL query ran in the Page constructor,” any visitor could trigger the SQL query without logging in. “A malicious actor could then supply malicious values for the ID or type parameters.”
__________________

BCams
:
hard core redditor
carolwebb is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 05-22-2021, 03:41 PM   #2
CurrentlySober
Too lazy to wipe my ass
 
CurrentlySober's Avatar
 
Industry Role:
Join Date: Aug 2002
Location: A Public Bathroom
Posts: 38,488
i cunt a4d WP Statistics, a popular web analytics plugin for WordPress...

so ears a bump for those what can...
__________________


👁️ 👍️ 💩
CurrentlySober is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
blind SQLi vulnerability in WP Statistics plugin News blind SQLi vulnerability in WP Statistics plugin
« Previous Thread | Next Thread »

Bookmarks

Tags
vulnerability, wordpress, information, blind, statistics, plugin, records”, extract, bulk, ram, slow, impractical, process, published, post, tuesday, blog, wordfence, analyst, threat, engineer, platform, security, gall, score



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.