CVE-2023-0600 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2023-0600?

CVE-2023-0600 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to conduct SQL injection attacks against WordPress sites using the WP Visitor Statistics plugin. Attackers can execute arbitrary SQL commands on the database, potentially compromising the entire site. All WordPress installations with vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to conduct SQL injection attacks against WordPress sites using the WP Visitor Statistics plugin. Attackers can execute arbitrary SQL commands on the database, potentially compromising the entire site. All WordPress installations with vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Visitor Statistics (Real Time Traffic) WordPress plugin

Versions: All versions before 6.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin version regardless of configuration.

📦 What is this software?

Visitor Statistics by Codepress

View all CVEs affecting Visitor Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Data exfiltration, user credential theft, and database manipulation leading to site defacement or malware injection.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via unescaped user input in SQL queries; trivial to exploit with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.9 and later

Vendor Advisory: https://wpscan.com/vulnerability/8f46df4d-cb80-4d66-846f-85faf2ea0ec4

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Visitor Statistics (Real Time Traffic)'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 6.9+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate wp-visitor-statistics

Web Application Firewall rule

all

Block SQL injection patterns targeting the plugin

Add WAF rule: Block requests containing SQL injection patterns to /wp-content/plugins/wp-visitor-statistics/

🧯 If You Can't Patch

Remove the plugin entirely if not essential
Implement strict input validation and parameterized queries in custom code

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get wp-visitor-statistics --field=version

Verify Fix Applied:

Verify plugin version is 6.9 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts from single IP
Unexpected database schema changes

Network Indicators:

HTTP requests with SQL injection patterns to plugin endpoints
Unusual outbound database connections

SIEM Query:

source="web_logs" AND (uri="*wp-visitor-statistics*" AND (query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*DELETE*"))

📊 Metadata

CVE ID: CVE-2023-0600

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 15, 2023

Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0600, you might also want to check these: