WP Statistics plugin for WordPress exposes database

WordPress WP Statistics vulnerability

A vulnerability in the popular WordPress plugin, WP Statistics, allows sensitive data from within the WordPress database to be extracted without logging in.

WP Statistics is used by over 600,000 WordPress sites globally and allows site owners to monitor and track website statistics without external tools. WP Statistics captures visitor information such as IP Addresses, browser information, country and city origins, and page level statistics.

WordPress security specialists, Wordfence, first discovered the vulnerability back in March 2021 and notified the plugin developers at VeronaLabs. The developer released a patch within a few days.

Wordfence has since discovered that the vulnerability can also be exploited by unauthenticated attackers (CVE-2021-24340)“While our original report indicated that an attacker needed to be authenticated to exploit this vulnerability, we have since discovered that it can be exploited by unauthenticated attackers as well.”, said Ram Gall, a cybersecurity analyst at Wordfence, in a blog post“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information.”

This vulnerability is a Time-Based Blind SQL Injection, which involves sending specially crafted SQL queries to override the intending query and retrieve data directly from the WordPress database.

The vulnerability is on a high scale of 7.5 out of 10, indicating the severity of the vulnerability.

Wordfence advises users of the plugin to ensure they have updated to the patched version, 13.0.8, as soon as possible.

Timeline (According to Wordfence)

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and provides full disclosure.

March 15, 2021 – VeronaLabs replies with a fixed version for testing, and Wordfence verifies that it corrects the issue.

March 25, 2021 – A patched version of the plugin, 13.0.8, is released.

Scroll to Top