On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query and affected versions are <= 13.1.4. This could be used to extract sensitive information like password hashes and secret keys from the database. Later on a new vulnerability has been discovered by Muhammad Zeeshan for versions <= 13.1.5 (including the patched...
Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin <= 13.1.5
read more