21. May 2021

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

According to researchers from Wordfence Threat Intelligence, WP Statistics has a Time-Based Blind SQL Injection vulnerability which is a WordPress plugin with over 600,000 active downloads. VeronaLabs developed the plugin, which provides site owners with comprehensive website statistics.

An unauthenticated attacker may use the vulnerability to extract sensitive information from a WordPress website using the vulnerable plugin. The vulnerability has a CVSS score of 7.5 (high severity), and it affects plugin versions prior to 13.0.8. 

Accessing the WP Statistics “Pages” menu item, which produces a SQL query to provide statistics, allows site administrators to see comprehensive statistics about their site’s traffic. Researchers discovered that even without admin rights, it was possible to access the WP Statistics “Pages.” 

The analysis published by Wordfence states, “While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” 

“Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.”