WP Statistics, a popular web analytics plugin for WordPress, contained a time-based blind SQL injection vulnerability that, if exploited, could result in sensitive information being exfiltrated from a site’s database.
Webmasters of WordPress sites running the open source plugin, which number more than 600,000, have been urged to update their systems as soon as possible.
The nature of the high severity (CVSS score 7.5) pre-authenticated vulnerability (CVE-2021-24340) means “exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records”, said Ram Gall, threat analyst and QA engineer at WordPress security platform Wordfence, in a blog post published on Tuesday (May 18).
Nevertheless, “high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap.
In a targeted attack, this vulnerability could be used to extract personally identifiable information from e-commerce sites containing customer information.
“This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored.”
Constructing the attack
Among other traffic data, WP Statistics provides detailed figures about which pages website users visit.
Accessing a ‘Pages’ menu generates an SQL query that displays these statistics, said Gall.
Although the function is supposed to be restricted to administrators, “it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page”, continued the threat analyst.
“Since the SQL query ran in the Page constructor,” any visitor could trigger the SQL query without logging in. “A malicious actor could then supply malicious values for the ID or type parameters.”
No esc_ape
As with another time-based blind SQL injection bug Wordfence recently discovered in CleanTalk’s AntiSpam plugin, the use of an esc_sql function failed to repel the attack for want of a prepared statement, said Gall.
Elaborating on the issue, the threat analyst told The Daily Swig: “We’ve seen multiple instances in the past where escaping input was insufficient and led to a false sense of security, and expect to see more in the future. Escaping input can be sufficient in some cases, but it’s not really a safe assumption anymore.
He added: “Prepared statements have been considered a best practice for a long time now, and while some developers may have avoided them in the past because they can be tricky to implement manually, there’s not really an excuse for not using them in WordPress thanks to the ease of use that $wpdb->prepare() allows.”
Disclosure timeline
The Wordfence threat intelligence team alerted WP Statistics developer VeronaLabs to the vulnerability on March 13, and a release containing a fix, version 13.0.8, was issued on March 25.Content-length
The vulnerability affects all previous versions.
Mostafa Soufi, co-founder of VeronaLabs, told The Daily Swig that the bug was addressed “in the SELECT query on the admin side”.
