Description

WordPress Plugin WP Statistics is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin WP Statistics version 9.4 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 9.4.1 or latest

References

http://cinu.pl/research/wp-plugins/mail_5ba1c082d4ba9ccd1997e15b799ea1f3.html

https://wordpress.org/plugins/wp-statistics/changelog/

Related Vulnerabilities

CubeCart Improper Access Control Vulnerability (CVE-2015-6928)

Apache version older than 1.3.27

MySQL CVE-2021-2019 Vulnerability (CVE-2021-2019)

WordPress Plugin Contact Form 7 Database Multiple Vulnerabilities (1.1)

WordPress Plugin Authorize.net Payment Gateway For WooCommerce Security Bypass (2.0)

Severity

High

Classification

CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection