The Wordfence Threat Intelligence team recently disclosed information about a flaw in WP Statistics Plugin.
WP Statistics is a WordPress plugin that allows website owners to see comprehensive statistics about their site’s users, including which posts they visit. Via Time-Based Blind SQL Injection, any site visitor may extract sensitive information from a site’s database.
Moments ago, the Wordfence Threat Intelligence team posted details of a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites. Full details and how to ensure your site is protected are on the official Wordfence blog. https://t.co/eefaKQMnPQ— Wordfence (@wordfence) May 18, 2021
On March 13, 2021, the Wordfence team received a response to their initial disclosure and submitted the full disclosure to VeronaLabs, the plugin’s developers. On March 25, 2021, a patch for this vulnerability was released.
Although Wordfence’s initial report stated that an attacker will need to be authenticated to exploit this flaw, they have since discovered that unauthenticated attackers can also exploit it.
So, If you’re using this plugin in your WordPress site, We recommend you to update to the patched version, 13.0.8, to keep your website safe from attackers.