Wordfence Threat Intelligence’s cybersecurity team reported finding a time-based blind SQL injection flaw from WP Statistics, a popular WordPress plugin with over half a million active installations. This plugin was developed by VeronaLabs and provides website administrators with complete statistics about its platform.
According to the report, the flaw can be exploited by unauthenticated threat actors to extract sensitive information from the website on which the plugin runs. This vulnerability received a score of 7.5/10 according to the Common Vulnerability Scoring System (CVSS) and affects all versions of the plugin prior to v13.0.8.
Website administrators can find detailed traffic statistics on these platforms in the WP Statistics “Pages” menu, which generates an SQL query for the collection of this data. Experts found that it was possible to access the Pages section without the need for administrator privileges.
“The “Pages” section was intended for administrators only, and did not display information to users with reduced privileges; however, it was possible to load the page builder by sending a request to wp-admin/admin.php with the page parameter set to wp-admin/admin.php. In other words, any visitor to an affected website could make this query and access confidential information,” the experts mention.
In this case, the SQL query did not use a prepared statement, so threat actors could easily manipulate the ID parameter to evade the esc_sql function to generate arbitrary queries that would allow sensitive information such as hashed passwords, email addresses, encryption keys, and more to be extracted.
“Malicious hackers could extract personally identifiable information from commercial websites for malicious purposes, so it’s important for developers to update the software immediately,” concludes the report.
The flaw has already been reported to the developers of the affected plugin and vulnerable versions are expected to be fully fixed in the coming weeks with the release of WP Statistics v13.0.8. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.