WP Statistics plugin is one of the most popular WordPress plugins, installed on 300,000 websites. The plugin makes WordPress administrators able to track statistics for WordPress site without depending on external services and uses arrogate data whenever possible to respect users privacy.
Sucuri researchers have discovered a SQL injection flaw in WP Statistics plugin, which could be exploited by attackers to steal databases and probably hijack the vulnerable websites remotely.
SQL injection is a code injection method, used to attack data-driven applications. This vulnerability allows a hacker to submit crafted input to interfere with the application’s interaction with back-end databases. A hacker may be able to obtain arbitrary data from the application, interfere with its logic, or execute commands on the database server itself. Read more about SQL injection here.
“This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.”“One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().”“This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes. “