Wordpress Plugin Used Yesteryear 300,000+ Sites Flora Vulnerable To Sql Injection Attack

H5N1 SQL Injection vulnerability has been discovered inwards 1 of the virtually pop Wordpress plugins, installed on over 300,000 websites, which could hold upwards exploited past times hackers to pocket databases as well as peradventure hijack the affected sites remotely.

The flaw has been discovered inwards the highly pop WP Statistics plugin, which allows site administrators to become detailed information related to the seat out of users online on their sites, the seat out of visits as well as visitors, as well as page statistics.

Discovered past times Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, amongst at to the lowest degree a subscriber account, to pocket sensitive information from the website's database as well as peradventure hit unauthorized access to websites.

SQL Injection is a spider web application põrnikas that allows hackers to inject malicious Structured Query Language (SQL) code to spider web inputs inwards gild to decide the construction as well as place of substitution databases, which eventually allows stealing of the database.

The SQL injection vulnerability inwards WP Statistics plugin resides inwards multiple functions, including wp_statistics_searchengine_query().

"This vulnerability is caused past times the lack of sanitization inwards user-provided data," researchers said. "Some attributes of the shortcode wpstatistics are beingness passed equally parameters for of import functions as well as this should non hold upwards a work if those parameters were sanitized." 

"One of the vulnerable functions wp_statistics_searchengine_query() inwards the file 'includes/functions/functions.php' is accessible through WordPress' AJAX functionality thank yous to the gist component division wp_ajax_parse_media_shortcode()."

This component division does non banking concern jibe for additional privileges, which allows website subscribers to execute this shortcode as well as inject malicious code to its attributes.

The researchers at Sucuri privately disclosed the flaw to the WP Statistics squad as well as the squad had patched the vulnerability inwards its latest version WP Statistics version 12.0.8.

So, if yous convey a vulnerable version of the plugin installed as well as your website allowing user registration, yous are definitely at risk, as well as yous should install the latest version equally presently equally possible.

Share This :