Pierluigi Paganini July 01, 2017

According to Sucuri, the SQL injection vulnerability in WP Statistics plugin affects multiple functions, including wp_statistics_searchengine_query().

WordPress provides an API that allows developers to create content that users can place directly in their pages by using a simple shortcode:

 [shortcode atts_1=”test” atts_2=”test”]

The WP Statistics plugin allows admin users to get detailed information related to the number of visits by just calling the shortcode below:

The function does not check for additional privileges, which allows website subscribers to execute this shortcode and inject malicious code to its attributes.

“Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized.” states the analysis.

“One of the vulnerable functions wp_statistics_searchengine_query() in the file ‘includes/functions/functions.php’ is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().”

The researchers at Sucuri privately reported the vulnerability to the WP Statistics team that promptly fixed it with version 12.0.8.

So, if you have a vulnerable version of the plugin installed and your website, you have to update it to the latest version as soon as possible.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WP Statistics, WordPress hacking)

[adrotate banner=”13″]