Get started today. Now with 10-16% off!

Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin <= 13.1.5

Feb 7, 2022

On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query and affected versions are <= 13.1.4. This could be used to extract sensitive information like password hashes and secret keys from the database. Later on a new vulnerability has been discovered by Muhammad Zeeshan for versions <= 13.1.5 (including the patched one). Because this is a security release, it is recommended that you update your sites immediately. Note, that in order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service.

WordPress WP Statistics plugin <= 13.1.5 – Unauthenticated Blind SQL Injection (SQLi) vulnerability

Unauthenticated Blind SQL Injection (SQLi) vulnerability via current_page_type discovered by Muhammad Zeeshan (Xib3rR4dAr) in WordPress WP Statistics plugin (versions <= 13.1.5). The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.

Read more about this bug: external link here, here, here and here.

WordPress WP Statistics plugin <= 13.1.4 – Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered in WordPress WP Statistics plugin (versions <= 13.1.4) by Cyku Hong (DEVCORE). The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the “Record Exclusions” option to be enabled on the vulnerable site.

Read more about this bug: external link here and here.

 


Key security problems: SQLi (SQL Injection) | WordPress Plugins

Standard Plan

$6999USD/m NOW $58/m89/m
billed yearly or $99 $89 month-by-monthmonthly and $149 set-up fee

WordPress Maintenance and Security Updates

We will update your WordPress core, plugins and themes constantly plus you will get 20 more security features.

Save $360/yearly (30%)
and avoid $149 set-up fee!

Save additional 1610% NOW!

Pay $699 yearly ($58/month)Pay $238 now, $89 monthly afterwards

Available for websites with themes and plugins from WordPress.org repository only.

Ready to Join?

Pay $699 yearly ($58/month)
(upgrade to the PRO PLAN at any time)