CVE-2021-24340 – This vulnerability in the WP Statistics WordPre... (How to Fix)

Q: What is the severity of CVE-2021-24340?

CVE-2021-24340 has a CVSS score of 7.5 (HIGH). This vulnerability in the WP Statistics WordPress plugin allows SQL injection attacks due to improper query preparation and insufficient input sanitization. The affected administrative page was also accessible to unauthenticated users, enabling attackers to execute arbitrary SQL commands. Over 600,000 WordPress sites using versions before 13.0.8 are affected.

📋 TL;DR

This vulnerability in the WP Statistics WordPress plugin allows SQL injection attacks due to improper query preparation and insufficient input sanitization. The affected administrative page was also accessible to unauthenticated users, enabling attackers to execute arbitrary SQL commands. Over 600,000 WordPress sites using versions before 13.0.8 are affected.

💻 Affected Systems

Products:

WP Statistics WordPress Plugin

Versions: All versions before 13.0.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version, regardless of OS or hosting environment.

📦 What is this software?

Wp Statistics by Veronalabs

View all CVEs affecting Wp Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion; potential for remote code execution via SQL injection.

🟠

Likely Case

Unauthorized data access, privilege escalation, or database manipulation by attackers.

🟢

If Mitigated

Limited impact with proper input validation and access controls in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible to unauthenticated users over the internet.

🏢 Internal Only: LOW - The vulnerability is internet-facing by default configuration.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is easily exploitable due to unauthenticated access and well-known SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.8

Vendor Advisory: https://wordpress.org/plugins/wp-statistics/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Statistics plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 13.0.8+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable WP Statistics Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-statistics

Restrict Access via .htaccess

linux

Block access to vulnerable endpoints using web server rules.

# Add to .htaccess:
<Files "wp-statistics.php">
Order Deny,Allow
Deny from all
</Files>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection attempts
Restrict network access to WordPress admin interfaces using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Statistics version number. If version is below 13.0.8, you are vulnerable.

Check Version:

wp plugin get wp-statistics --field=version

Verify Fix Applied:

Confirm WP Statistics plugin version is 13.0.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts to wp-statistics endpoints
Unexpected database schema changes

Network Indicators:

HTTP requests to /wp-content/plugins/wp-statistics/ with SQL injection patterns
Unusual outbound database connections from web server

SIEM Query:

source="web_server" AND (uri="*wp-statistics*" AND (query="*SELECT*" OR query="*UNION*" OR query="*INSERT*" OR query="*DELETE*"))

📊 Metadata

CVE ID: CVE-2021-24340

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: June 7, 2021

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/d2970cfb-0aa9-4516-9a4b-32971f41a19c Exploit,Third Party Advisory
https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24340, you might also want to check these: