A Time-Based Blind SQL Injection vulnerability with a CVSS Score of 7.5 severiity in WP Statistics, which is a WordPress plugin with over 600,000 active installs provides website statistics. An unauthenticated attacker can extract sensitive info from the website using this Vulnerability.

Site administrators could display detailed statistics about traffic to their site by accessing the WP Statistics “Pages” menu item that generates a SQL query in order to provide statistics. This can be exploited without admin consent.

While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.

Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.

Below the timeline for this vulnerability:

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and we provide full disclosure.
March 15, 2021 – VeronaLabs replies with a fixed version for us to test and we verify that it corrects the issue.