Researchers from the Wordfence Threat Intelligence discovered a Time-Based Blind SQL Injection vulnerability in WP Statistics, which is a WordPress plugin with over 600,000 active installs.
The plugin was developed by VeronaLabs, it provides complete website statistics to site owners.
The vulnerability could be exploited by an unauthenticated attacker to extract sensitive information from a WordPress website using the vulnerable plugin.
The flaw has been rated with a CVSS Score of 7.5 (High severity), it affects plugin versions prior 13.0.8.
Site administrators could display detailed statistics about traffic to their site by accessing the WP Statistics “Pages” menu item that generates a SQL query in order to provide statistics. Researchers discovered that it was possible to access the WP Statistics “Pages” even without admin privileges.
“While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” reads the analysis published by Wordfence. “Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.”
The SQL query did not use a prepared statement and an attacker could easily manipulate
ID input parameter to bypass the esc_sql function to generate queries which could allow extracting sensitive data from the site, including user emails, password hashes, and encryption keys and salts.
“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored.” continues the post.
Below the timeline for this vulnerability:
March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and we provide full disclosure.
March 15, 2021 – VeronaLabs replies with a fixed version for us to test and we verify that it corrects the issue.
March 25, 2021 – A patched version of the plugin, 13.0.8, is released.
(SecurityAffairs – hacking, WordPress)