WP Statistics vulnerability allows theft of the base

WP Statistics; Beware of his friends WordPress, as a vulnerability has been discovered that allows SQL Injection to be one of the platform's most popular plug-ins. The add-on is installed on over 300.000 websites, which could be hacked by hackers to steal databases and possibly manage them remotely.

The flaw has been discovered in the very popular WP Statistics plugin, which allows web site administrators using WordPress CMS to have detailed information about the number of visitors to their page and other statistics.WP Statistics

Discovered by Sucuri's security team:

The WordPress plugin, WP Statistics is vulnerable to a defect that allows SQL Injection. The remote attacker must have at least one subscriber account, and may steal sensitive information from the page's database and potentially gain unauthorized access to it.

SQL Injection is an error that allows hackers to import malicious SQL code on the target page to determine the structure and location of the database, which ultimately allows the base theft.

The SQL injection vulnerability in the WP Statistics plugin is in many of its features, such as wp_statistics_searchengine_query ().

"This vulnerability is due to the lack of security of data provided by users," the researchers said. "Some features of wpstatistics shortcode are passed as parameters for important functions and should not be a problem if replaced."

"One of the vulnerable features is wp_statistics_searchengine_query () in the 'includes / functions / functions.php' file which is accessible through WordPress AJAX thanks to the basic wp_ajax_parse_media_shortcode () function."

This feature does not control additional permissions, which allows site subscribers to execute as a shortcode and import malicious code into its features.

Sucuri researchers have revealed the flaw in the WP Statistics team and reported it to the developers of the plugin. The development team managed to repair the vulnerability with the latest version of WP Statistics 12.0.8.

Registration in iGuRu.gr via Email

Enter your email to subscribe to the email notification service for new posts.

So, if you use an older version of the plugin installed on your site and allow you to sign up for users, you are at risk and you will need to upgrade to the latest version as soon as possible.

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news