WordPress plugin vulnerability discovered
A new vulnerability affecting one of the most popular WordPress plugin “WP Statistics” has been discovered allowing SQL Injection attacks to be potentially used. WP Statistics is a plugin that enables administrators to have information regarding the number of users online on their site, the number of visitors, and the number of visits. It is used on over 300 000 websites and could be exploited in order to steal databases or hijack the affected sites remotely.
The Sucuri team discovered the vulnerability whereby an attacker who has at the minimum a subscriber account can steal information from the website and gain unauthorized access. This is done through SQL injection where an attacker injects malicious SQL code into web inputs in order to figure out the structure and location of databases. Once done, an attacker can potentially steal that database.
The SQL injection vulnerability in WP Statistics plugin resides in multiple functions, includingwp_statistics_searchengine_query().
“This vulnerability is caused by the lack of sanitization in user-provided data,” researchers said. “Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized.”
“One of the vulnerable functions wp_statistics_searchengine_query() in the file ‘includes/functions/functions.php’ is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().”
As of WP statistics 10.0.8, the the vulnerability has been patched. If you are a user that has a website with user registration and uses WP Statistics prior to 10.0.8, you are vulnerable and need to update your plugin.