SQL Injection Vulnerability has been discovered in WP Statistics plugin

  • 165
  •  
  •  
  •  
  •  
  •  
  •  
    165
    Shares

WP Statistics is one of the most popular WordPress plugins, installed on 300,000 websites. The plugin makes WordPress administrators able to track statistics for WordPress site without depending on external services and uses arrogate data whenever possible to respect users privacy.

Sucuri researchers have discovered a SQL injection flaw in WP Statistics plugin, which could be exploited by attackers to steal databases and probably hijack the vulnerable websites remotely.

SQL injection is a code injection method, used to attack data-driven applications. This vulnerability allows a hacker to submit crafted input to interfere with the application’s interaction with back-end databases. A hacker may be able to obtain arbitrary data from the application, interfere with its logic, or execute commands on the database server itself. Read more about SQL injection here.

“This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.”

“One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().”

“This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes. “

So, if you still running a vulnerable version of the WordPress plugin (WP Statistics), you should update your plugin as soon as possible.

 

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!