WP Statistics; Beware of his friends WordPress, as a vulnerability that allows SQL Injection was discovered in one of its most popular plug-ins platforms. The plugin is installed on over 300.000 websites, which could be compromised by hackers to steal databases and potentially manage them remotely.
The flaw has been discovered in the very popular Plugin WP Statistics, which allows website administrators using the WordPress CMS to have detailed information about the number of visitors to their page and other statistics.
Discovered by team Sucuri Security:
The WordPress plugin, WP Statistics is vulnerable to a defect that allows SQL Injection. The remote attacker must have at least one subscriber account, and may steal sensitive information from the page's database and potentially gain unauthorized access to it.
SQL Injection is an error that allows hackers to import malicious SQL code on the target page to determine the structure and location of the database, which ultimately allows the base theft.
The SQL injection vulnerability in the WP Statistics plugin is in many of its features, such as wp_statistics_searchengine_query ().
"This vulnerability is due to the lack of security of data provided by users," the researchers said. "Some features of wpstatistics shortcode are passed as parameters for important functions and should not be a problem if replaced."
“One of the vulnerable functions is wp_statistics_searchengine_query() in the file 'includes/functions/functions.php' which is accessible through WordPress's AJAX functionality thanks to the wp_ajax_parse_media_shortcode() core function.”
This feature does not control additional permissions, which allows site subscribers to execute as a shortcode and import malicious code into its features.
Sucuri researchers have revealed the flaw in the WP Statistics team and reported it to the developers of the plugin. The development team managed to repair the vulnerability with the latest version of WP Statistics 12.0.8.
So, if useste some older version of the plugin installed on by clicking here you and allow user registration, you are at risk and should upgrade to the latest version as soon as possible.