• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory – High severity – WP-Statistics WordPress Plugin

November 20, 2014Marc-Alexandre Montpas

Security Risk: High

Exploitation Level: Easy/Remote

DREAD Score: 7/10

Vulnerability: Stored XSS which executes on the administration panel.

Patched Version: 8.3.1

FacebookTwitterSubscribe

If you’re using the WP-Statistics WordPress plugin on your website, now is the time to update. While doing a routine audit for our Website Firewall product, we discovered a few vulnerabilities in the plugin that could be used by a malicious individuals to put your site’s security at risk.

What are the risks?

Every websites using version 8.3, or Lower, of this plugin are to be considered vulnerable.

An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf. Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.

If you use an affected version of this plugin, update as soon as possible!

Technical details

We will disclose all technical details in 30 days.

But the problem is very simple. The plugin fails to properly sanitize some of the data it gathers for statistical purposes, which are controlled by the website’s visitors. If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.

In our proof of concept, we were able to create new admin accounts using this vulnerability.

Upgrade as soon as possible!

This is quite a dangerous vulnerability, upgrading your affected websites should be done asap! Of course, all our Website Firewall customers have all been proactively protected against this vulnerability via our Virtual Patching technology.

FacebookTwitterSubscribe

Categories: Security Advisory, Security Education, Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. bobfox321

    November 24, 2014

    Now I have a new error AFTER updating to WP Statistics Version 8.3.1. Have no idea what this means whatsoever! ERROR: WP Statistics has detected an unsupported version of PHP, WP Statistics will not function without PHP Version 5.3.0 or higher! Your current PHP version is 5.2.17.

    • shugo1110

      November 26, 2014

      you should ask your provider, if they could update php for you.

  2. Brandenlee

    November 25, 2014

    WordPress 4.0 giving alot of error message and problems. My hosting not helping me one bit

  3. James

    November 25, 2014

    Does this affect comments that come through on trace / pingback?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.