Plugin Leaves 300,000 WordPress Websites Vulnerable to SQL Injection Attack

Security researchers have discovered a flaw in WP Statistics, a tremendously popular WordPress plugin used in over 300,00 websites, enabling hackers to plausibly steal databases and even remotely hijack the websites altogether.

WP Statistics, a plugin that allows site administrators to ascertain website information including real-time user numbers, page statistics and the number of visitors.

Security researchers from Sucuri have discovered that the WP Statistics plugin is vulnerable to an SQL injection flaw, allowing a remote attacker with a subscriber account to fundamentally steal data from the website’s database.

For context, a Structured Query Language injection is a web application bug that enables hackers to inject malicious SQL code to web inputs, enabling them to determine the structure and location of key databases.

Researchers explained:

This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.

“If you have a vulnerable version installed and your site allows user registration, you are definitely at risk,” the researchers warned.

Fundamentally, vulnerable versions of the plugin allow a particular function to bypass checks for additional privileges – enabling website subscribers to inject the malicious code to the website.

“One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode(),” researchers added.

The cybersecurity researchers have responsibly and privately disclosed the flaw to the developers at WP Statistics who have since patched the vulnerability with WP Statistics 12.0.8, the latest version of the plugin.

Image credit: Pexels.