WP Visitor Statistics (Real Time Traffic) < 6.9 - Unauthenticated SQLi
CVE-2023-0600

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WP Visitor Statistics (real Time Traffic)
Vendor: CVE Published:; 15 May 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 11%

Summary

The WP Visitor Statistics (Real Time Traffic) plugin for WordPress, prior to version 6.9, is vulnerable to SQL Injection due to inadequate input sanitization. This flaw enables unauthenticated users to manipulate SQL queries, potentially gaining unauthorized access to sensitive data or compromising the integrity of the database. Proper input validation is essential to mitigate the risks associated with such vulnerabilities.

Affected Version(s)

WP Visitor Statistics (Real Time Traffic) 0 < 6.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-0600 - Proof of Concept

References

https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-...

exploitvdb-entrytechnical-description

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
May 15, 2023
👾
Exploit known to exist
May 15, 2023
Vulnerability published
May 15, 2023
Vulnerability Reserved
Jan 31, 2023

Credit

Trần Quốc Trường An

WPScan