WP Statistics Plugin Flaw Time-Based Blind SQL Injection

Heads up, WordPress admins! The popular plugin WP Statistics had a serious security flaw that could risk website security. Since the patch is out, users must ensure updating their sites with the latest plugin version to stay protected.

WP Statistics Plugin Flaw

Researchers from Team Wordfence have a serious SQL injection flaw in the WP Statistics plugin. As elaborated in their post, exploiting the vulnerability could allow an attacker to steal sensitive data from a website.

Specifically, the researchers identified a time-based SQL injection vulnerability. Owing to its limitation, an adversary would not exploit this flaw to extract bulk data from a target website. However, it would certainly facilitate the patient attackers to pilfer specific data in a considerable time.

Explaining the vulnerability, Wordfence stated,

“While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page. Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run.
Unfortunately, while this SQL query used esc_sql to attempt to escape the ID and type input parameters, it did not use a prepared statement. Since the ID input parameter was not quoted, it was trivial to bypass the esc_sql function and generate queries which could be used to extract sensitive information from the site.

Patch Rolled Out

According to the researchers, this type of vulnerability arises as it bypasses all existing security measures. Nonetheless, explaining mitigation for that, they stated,

The only reliable method of preventing SQL injection is to prepare all SQL statements before executing them, which can be performed using $wpdb->prepare(). While it might still be possible to construct a vulnerable query that uses a prepared statement, it is very difficult to do so unintentionally.

After discovering the vulnerability in the WP Statistics plugin, Wordfence reached out to the developers.

Consequently, the developers patched the flaw and deployed the fix with the release of version 13.0.8.

Given the huge number of installations this plugin boats – over 600,000 – this vulnerability potentially risked thousands of websites. Whereas, we already know how quickly the threat actors start scanning vulnerable websites to target. Therefore, all users must update their sites with the latest plugin version at the earliest.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients