CVE-2023-45074 – This SQL injection vulnerability in the Advance... (How to Fix)

Q: What is the severity of CVE-2023-45074?

CVE-2023-45074 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in the Advanced Page Visit Counter WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using this plugin up to version 7.1.1, potentially compromising site data and server access.

📋 TL;DR

This SQL injection vulnerability in the Advanced Page Visit Counter WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites using this plugin up to version 7.1.1, potentially compromising site data and server access.

💻 Affected Systems

Products:

Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress

Versions: All versions up to and including 7.1.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration.

📦 What is this software?

Advanced Page Visit Counter by Pagevisitcounter

View all CVEs affecting Advanced Page Visit Counter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, including user credentials, sensitive content, and plugin data extraction.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with automated tools. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.2 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/advanced-page-visit-counter/wordpress-advanced-page-visit-counter-plugin-7-1-1-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Advanced Page Visit Counter'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate advanced-page-visit-counter

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns targeting this plugin.

🧯 If You Can't Patch

Remove the plugin entirely if patching is not possible.
Implement strict network access controls to limit plugin exposure.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Advanced Page Visit Counter version. If version ≤ 7.1.1, vulnerable.

Check Version:

wp plugin get advanced-page-visit-counter --field=version

Verify Fix Applied:

Confirm plugin version is 7.1.2 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts after plugin access
Unexpected plugin file modifications

Network Indicators:

HTTP requests with SQL payloads to plugin endpoints
Unusual database connection patterns from web server

SIEM Query:

source="web_server" AND (uri="*advanced-page-visit-counter*" AND (content="' OR " OR content="UNION" OR content="SELECT *"))

📊 Metadata

CVE ID: CVE-2023-45074

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 6, 2023

Last Updated: February 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45074, you might also want to check these: