Security Advisory – High severity – WP-Statistics WordPress Plugin

1 minute read

Advisory for: WordPress WP-Statistics Plugin
Security Risk: High (DREAD score : 7/10)
Exploitation level: Easy/Remote
Vulnerability: Stored XSS which executes on the administration panel.
Patched Version: 8.3.1

If you’re using the WP-Statistics WordPress plugin on your website, now is the time to update. While doing a routine audit for our Website Firewall product, we discovered a few vulnerabilities in the plugin that could be used by a malicious individuals to put your site’s security at risk.

What are the risks?

Every websites using version 8.3, or Lower, of this plugin are to be considered vulnerable.

An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf. Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.

If you use an affected version of this plugin, update as soon as possible!

Technical details

We will disclose all technical details in 30 days.

But the problem is very simple. The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors. If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.

In our proof of concept, we were able to create new admin accounts using this vulnerability.

Upgrade as soon as possible!

This is quite a dangerous vulnerability, upgrading your affected websites should be done asap! Of course, all our Website Firewall customers have all been proactively protected against this vulnerability via our Virtual Patching technology.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...