Cyber Security

WordPress security: More than 600,000 sites hit by blind SQLi vulnerability in WP Statistics plugin

WP Statistics, a popular web analytics plugin for WordPress, contained a time-based blind SQL injection vulnerability that, if exploited, could result in sensitive information being exfiltrated from a site’s database.

Webmasters of WordPress sites running the open source plugin, which number more than 600,000, have been urged to update their systems as soon as possible.

The nature of the high severity (CVSS score 7.5) pre-authenticated vulnerability (CVE-2021-24340) means “exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records”, said Ram Gall, threat analyst and QA engineer at WordPress security platform Wordfence, in a blog post published on Tuesday (May 18).

Nevertheless, “high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap.

In a targeted attack, this vulnerability could be used to extract personally identifiable information from e-commerce sites containing customer information.

“This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored.”

Constructing the attack

Among other traffic data, WP Statistics provides detailed figures about which pages website users visit.

Accessing a ‘Pages’ menu generates an SQL query that displays these statistics, said Gall.

Although the function is supposed to be restricted to administrators, “it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page”, continued the threat analyst.

“Since the SQL query ran in the Page constructor,” any visitor could trigger the SQL query without logging in. “A malicious actor could then supply malicious values for the ID or type parameters.”

No esc_ape

As with another time-based blind SQL injection bug Wordfence recently discovered in CleanTalk’s AntiSpam plugin, the use of an esc_sql function failed to repel the attack for want of a prepared statement, said Gall.

Elaborating on the issue, the threat analyst told The Daily Swig: “We’ve seen multiple instances in the past where escaping input was insufficient and led to a false sense of security, and expect to see more in the future. Escaping input can be sufficient in some cases, but it’s not really a safe assumption anymore.

He added: “Prepared statements have been considered a best practice for a long time now, and while some developers may have avoided them in the past because they can be tricky to implement manually, there’s not really an excuse for not using them in WordPress thanks to the ease of use that $wpdb->prepare() allows.”

Disclosure timeline

The Wordfence threat intelligence team alerted WP Statistics developer VeronaLabs to the vulnerability on March 13, and a release containing a fix, version 13.0.8, was issued on March 25.Content-length

The vulnerability affects all previous versions.

Advertisement. Scroll to continue reading.

Mostafa Soufi, co-founder of VeronaLabs, told The Daily Swig that the bug was addressed “in the SELECT query on the admin side”.

Source: https://portswigger.net/daily-swig/wordpress-security-more-than-600-000-sites-hit-by-blind-sqli-vulnerability-in-wp-statistics-plugin

Click to comment

You May Also Like

Cyber Security

The WordPress Stripe Payment Gateway plugin has been vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability. WooCommerce developed this plugin.  The plugin version...

Cyber Security

A dangerous bug in Cacti, the RRDTool frontend and performance/fault management framework, potentially allowed attackers to run arbitrary PHP commands on the server. Cacti is...

Cyber Security

Security researchers have developed a technique that prevents web application firewalls (WAFs) from detecting SQL injection attacks. Several leading vendors’ WAFs failed to support JSON syntax...

Cyber Security

Security researchers from Varonis have published details of SQL injection and logical access vulnerabilities in Zendesk Explore that posed a severe threat for users of the...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version