CVE-2021-24167
📋 TL;DR
This vulnerability in Web-Stat WordPress plugin versions before 1.4.0 allows information disclosure through client-side requests. When visitors access a site with the vulnerable plugin, their browsers automatically send requests to an external server that could expose WordPress account information. WordPress site administrators using Web-Stat <1.4.0 are affected.
💻 Affected Systems
- Web-Stat WordPress Plugin
📦 What is this software?
Web Stat by Web Stat
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest WordPress user account information including usernames, potentially enabling credential stuffing attacks or targeted phishing campaigns against site administrators.
Likely Case
WordPress account usernames are exposed to third-party servers, allowing attackers to identify valid accounts for brute force attacks or reconnaissance.
If Mitigated
With proper network segmentation and monitoring, the impact is limited to potential username exposure without direct system compromise.
🎯 Exploit Status
Exploitation requires no authentication - simply visiting an affected WordPress site triggers the vulnerability. The exploit is trivial to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0
Vendor Advisory: https://wpscan.com/vulnerability/e7326903-1552-4934-a611-fc0b43236d60
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Web-Stat plugin. 4. Click 'Update Now' if available. 5. If no update available, download version 1.4.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Web-Stat Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate web-stat
Block External Requests
allConfigure web application firewall to block requests to wts2.one domain
🧯 If You Can't Patch
- Implement strict network egress filtering to block requests to wts2.one domain
- Deploy client-side script blocking using Content Security Policy (CSP) headers
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Web-Stat version. If version is below 1.4.0, the system is vulnerable.Check Version:
wp plugin get web-stat --field=versionVerify Fix Applied:
Verify Web-Stat plugin version is 1.4.0 or higher in WordPress admin panel. Monitor browser developer tools to confirm no requests to wts2.one/ajax.htm are made.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to wts2.one/ajax.htm?action=lookup_WP_account in web server logs
- Outbound connections to wts2.one domain
Network Indicators:
- Outbound HTTPS requests to wts2.one on port 443
- XMLHttpRequest patterns to external domains from WordPress sites
SIEM Query:
destination_host='wts2.one' AND url_path='/ajax.htm' AND query_string='action=lookup_WP_account'