Critical Vulnerability Fixed In WP Statistics Plugin, Over 600,000 Sites Impacted

The Wordfence Threat Intelligence team recently disclosed information about a flaw in WP Statistics Plugin.

WP Statistics is a WordPress plugin that allows website owners to see comprehensive statistics about their site’s users, including which posts they visit. Via Time-Based Blind SQL Injection, any site visitor may extract sensitive information from a site’s database.



On March 13, 2021, the Wordfence team received a response to their initial disclosure and submitted the full disclosure to VeronaLabs, the plugin’s developers. On March 25, 2021, a patch for this vulnerability was released.

Although Wordfence’s initial report stated that an attacker will need to be authenticated to exploit this flaw, they have since discovered that unauthenticated attackers can also exploit it.

WP Statistics Plugin Update

So, If you’re using this plugin in your WordPress site, We recommend you to update to the patched version, 13.0.8, to keep your website safe from attackers.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.