GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   News blind SQLi vulnerability in WP Statistics plugin (https://gfy.com/showthread.php?t=1345203)

carolwebb 05-21-2021 11:01 PM
blind SQLi vulnerability in WP Statistics plugin
 
https://portswigger.net/daily-swig/w...tistics-plugin


Quote:
WP Statistics, a popular web analytics plugin for WordPress, contained a time-based blind SQL injection vulnerability that, if exploited, could result in sensitive information being exfiltrated from a site’s database.


The nature of the high severity (CVSS score 7.5) pre-authenticated vulnerability (CVE-2021-24340) means “exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records”, said Ram Gall, threat analyst and QA engineer at WordPress security platform Wordfence, in a blog post published on Tuesday (May 18).
Quote:
Although the function is supposed to be restricted to administrators, “it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page”, continued the threat analyst.

“Since the SQL query ran in the Page constructor,” any visitor could trigger the SQL query without logging in. “A malicious actor could then supply malicious values for the ID or type parameters.”

CurrentlySober 05-22-2021 03:41 PM
i cunt a4d WP Statistics, a popular web analytics plugin for WordPress... :(

so ears a bump for those what can...


All times are GMT -7. The time now is 04:04 AM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc