CVE-2021-24750: 
WordPress vulnerability analysis and mitigation

The WP Visitor Statistics (Real Time Traffic) WordPress plugin versions before 4.8 contained a SQL injection vulnerability (CVE-2021-24750). The vulnerability was discovered in the plugin's refDetails AJAX action, where the refUrl parameter was not properly sanitized and escaped. This security issue affected all versions of the plugin prior to version 4.8 and could be exploited by any authenticated user, including those with subscriber-level access (WPScan).

The vulnerability exists in the refDetails AJAX action functionality of the plugin, where improper sanitization and escaping of the refUrl parameter created a SQL injection point. The vulnerability could be exploited by sending a specially crafted request to the WordPress admin-ajax.php endpoint. A proof of concept exploit demonstrates that attackers could execute SQL queries by manipulating the refUrl parameter in requests to: /wp-admin/admin-ajax.php?action=refDetails (WPScan). The vulnerability has been assigned a CVSS score of 7.7 (High) indicating significant severity.

The SQL injection vulnerability could allow authenticated attackers, even with minimal privileges such as subscriber-level access, to execute arbitrary SQL queries against the WordPress database. This could potentially lead to unauthorized access to sensitive data, including user credentials and other confidential information stored in the database (WPScan).

The vulnerability has been patched in version 4.8 of the WP Visitor Statistics plugin. Site administrators are strongly advised to update to this version or later to protect against potential SQL injection attacks (WPScan, WordPress).