Blind SQL Injection Flaw in WP Statistics Affected 600K+ Sites

According to researchers from Wordfence Threat Intelligence, WP Statistics has a Time-Based Blind SQL Injection vulnerability which is a WordPress plugin with over 600,000 active downloads. VeronaLabs developed the plugin, which provides site owners with comprehensive website statistics.

An unauthenticated attacker may use the vulnerability to extract sensitive information from a WordPress website using the vulnerable plugin. The vulnerability has a CVSS score of 7.5 (high severity), and it affects plugin versions prior to 13.0.8. 

Accessing the WP Statistics “Pages” menu item, which produces a SQL query to provide statistics, allows site administrators to see comprehensive statistics about their site’s traffic. Researchers discovered that even without admin rights, it was possible to access the WP Statistics “Pages.” 

The analysis published by Wordfence states, “While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” 

“Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.” 

As the SQL query did not use a prepared statement, an attacker could easily exploit the input parameter to circumvent the esc sql function and generate queries that could enable an attacker to extract sensitive data from the site, such as user addresses, password hashes, and encryption keys and salts. 

“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” the post further read. 

The timeline for the vulnerability is as follows: 

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and Security Affairs provides full disclosure. 

March 15, 2021 – VeronaLabs replies with a fixed version for Security Affairs to test and they verify that it corrects the issue. 

March 25, 2021 – A patched version of the plugin, 13.0.8, is released.