WPStatistics, as the name suggests, a plugin allows site owners see and show their visitor count. It also brings IP address and country details of the visitors.
Wordfence Threat Intelligence team announced that they find a vulnerability in WPStatistics plugin. This plugin is installed more than 600.000 WordPress website. This is an SQL-injection vulnerability and allows visitors reach all kinds of information including web database, emails, and passwords.
Description: Unauthenticated Time-Based Blind SQL Injection
Affected Plugin: WP Statistics
Plugin Slug: wp-statistics
Affected Versions: < 13.0.8
CVE ID: CVE-2021-24340
CVSS Score: 7.5 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 13.0.8
WPStatistics lets administrators to see page statistics like which page gets how much traffic and according to the researchers, this feature allows attackers to reach database as unauthorized. “As this was a Time-Based Blind SQL injection vulnerability, exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records, but high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap. In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored..” written in their post.