WordPress plugin WP statistics vulnerable to SQL injection

WP statistics one of the most installed plugin of the WordPress used by around 300,000 websites currently found vulnerable to the SQL injection because of the limitation of some functions present in it.

SQL injection is a technique to inject code in the data-driven application/software. In it, atrocious SQL code or statement entered in the input field to for execution. It is the most commonly used technique for hacking the web pages or websites. This strategy allows the attacker to remotely devastate your website and the database.

WP statistics plugin allow the administrator to check the number of users online on their websites and which page they are visiting and several other page statistics.

Recently a team of experts of Sucuri has discovered that the WordPress plugin named WP statistics is vulnerable to the same type of attack. It happens because of the improper cleansing of the data provided by the user.

Some of the vulnerable functions are:

  • wp_statistics_searchengine_query()
  • wp_ajax_parse_media_shortcode()
  • wp_statistics_searchengine_query()

As these plugins do not check if such privileges are available to the user or not, these functions of the WP statistics plugin make them vulnerable and allow anyone to insert a malicious code to the database.