The online security experts at Sucuri have identified another SQL injection vulnerability in a popular WordPress plugin, while auditing numerous open source plugins to search for potential security issues.
The plugin in question is WP Statistics, which has over 300,000 active installs and is billed as ‘a comprehensive plugin for your WordPress visitor statistics’. The vulnerability is an SQL Injection and puts any users at risk who are currently running a vulnerable version of the plugin and allow user registration on their site. Sucuri go into further details on their blog:
‘This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.’
Any users who want to continue using WP Statistics are urged to update immediately, whereas those who no longer require the plugin should deactivate and uninstall the plugin via their Dashboard as soon as possible.