SQL Injection Vulnerability Found in WordPress plugin, WP Statistics is one of the most popular WordPress plugins installed on 300,000 websites.
The WordPress plugin makes it possible for administrators to monitor the statistics of the WordPress site without relying on external services and uses were attributed the data whenever possible to respect the privacy of users.
The Team Sucuri Discovery, SQL injection vulnerability found in WordPress plugin, WordPress Statistics WP plugin which is vulnerable to an SQL injection error that allows a remote user, with at least one subscription account, to steal sensitive information from the website’s database and possibly get Unauthorized access to websites.
The WordPress plugin makes it possible for administrators to monitor the statistics of the WordPress site without relying on external services and uses were attributed the data whenever possible to respect the privacy of users.
Researchers have discovered Sucuri a SQL injection bug in Statistics WP plugin, which could be exploited by attackers to steal their database and will likely lose vulnerable sites remotely.
SQL injection is a code injection method, used to attack data-based applications. This vulnerability allows a hacker to submit documents, input to interfere with the interaction of the application with the back-end database.
A hacker might be able to get arbitrary data, which interferes with their logic or execute commands on the database server itself. Read more about SQL injection here.
A hacker might be able to get arbitrary data, which interferes with their logic or execute commands on the database server itself. Read more about SQL injection here.
“An attacker with at least one subscriber account could lose sensitive data and in the right conditions/settings compromise the installation of WordPress.” This vulnerability is due to a lack of data sanitization provided by the user.
“One of the wp_statistics_searchengine_query vulnerable functionality () in the file” includes / functions / functions.php “is available through WordPress’ AJAX functionality thanks to the wp_ajax_parse_media_shortcode basic function ()”.
“This feature does not check in addition to privileges, allowing subscribers to execute this code and inject malicious data into their attributes.”
So even if you are running a vulnerable version of WordPress plugin (WP Statistics), you should update the plugin as soon as possible.
