'This vulnerability is due to lack of control over the data that users provide. Some properties of shortcode wpstatistics have been omitted instead of being recognized as parameters for important functions, 'the researchers said. 'One of the vulnerable functions is the search query wp_statistics_searchengine_query () in includes / functions / functions.php file, accessed via AJAX of WordPress thanks to wp_ajax_parse_media_shortcode ().'
This function does not check for additional privileges, which allows website followers to execute shortcode and inject malicious code into properties. Researchers at Sucuri reported this error to the WP Statistics team and the group patched this vulnerability in the latest version 12.0.8. So if you are using a version with a vulnerability and your website allows users to register, quickly install the latest version.