Popular WordPress plugin WP Statistics allowed hackers to steal database & hijack sites

Imagine your site gets hacked and the hacker steals all your data despite every precaution you took. The passwords were strong, and still, they accessed your site. Well, this could be possible if the hackers found a path through a plugin installed in the database. It was found that popular WordPress plugin WP Statistics had vulnerabilities that could allow hackers to access sites with admin privileges.

WP Statistics. Source: wordpress.com

Security firm Sucuri released a report that the popular WordPress plugin WP Statistics has a SQL injection vulnerability. This plugin was quite popular and is installed on more than 300,000 sites as of present. The plugin was vulnerable in the section for the user provided data. It was like, any person with a simple subscriber account to the site could leak data from the site.

WordPress plugin WP Statistics vulnerable

WordPress provides users with an API which allows developers to code such that users can inject using a shortcode. The WP Statistics plugin permits users to check the statistics of the site and call necessary information using the shortcode. However, the vulnerability was such that it did not check for admin privileges before giving the information and anyone with a mere subscriber account could access it.

A typical example of an attack in such a scenario would be when an attacker creates a subscriber account on the site and leaves a comment on any page. The comment would have a javascript to perform the intended action. As soon as the administrator access the comment section to check for approvals, the javascript runs with administrator privileges, says Sucuri.

Jouko Pynnonen, a security expert from Finland said, “If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.”

As scary as it sounds, all this stems from flaws in a single WordPress plugin. The bug has been fixed, and it is strongly recommended to update the plugin as soon as possible. A complete WordPress update would also be recommended.

Posted by with Tags
Karan Khanna is a passionate Windows 10 user who loves troubleshooting Windows problems in specific and writing about Microsoft technologies in general.