WordPress plugins with more than 300,000 pages that use vulnerabilities are vulnerable to SQL Injection attacks

This error is found on the popular WP Statistics plugin, which allows site administrators to get detailed information regarding the number of online users on the page, visits, visitors and site statistics.

Discovered by the Sucuri team, the WP Statistics plugin is vulnerable to SQL Injection attacks, which allows remote attackers, with only one registered account, to steal sensitive information from the database. data of the website and may occupy website access.

SQL Injection is a web application error, allowing a hacker to inject SQL (Structured Query Language) code into web input data to determine the structure and location of the key database, ultimately allowing stealing information from there.

SQL Injection vulnerability may lie on many functions, including wp_statistics_searchengine_query ()

'This vulnerability is due to lack of control over the data that users provide. Some properties of shortcode wpstatistics have been omitted instead of being recognized as parameters for important functions, 'the researchers said. 'One of the vulnerable functions is the search query wp_statistics_searchengine_query () in includes / functions / functions.php file, accessed via AJAX of WordPress thanks to wp_ajax_parse_media_shortcode ().'

This function does not check for additional privileges, which allows website followers to execute shortcode and inject malicious code into properties. Researchers at Sucuri reported this error to the WP Statistics team and the group patched this vulnerability in the latest version 12.0.8. So if you are using a version with a vulnerability and your website allows users to register, quickly install the latest version.