A bug has been identified in a popular WordPress app that allows an unauthenticated attacker to steal sensitive database information.
The WP Statistics plugin provides website owners with visitor analytics, including information about how visitors arrived on the site, the pages and posts they visited, the browser used, along with anonymized location data. The plugin has been installed on approximately 600,000 WordPress websites.
Researchers at Wordfence identified an SQL injection vulnerability in the pages function of the plugin which admins use to see the number of page views and which pages have received the most traffic. This function uses SQL queries of the backend database to pull in the data, but the researchers found that this function could be hijacked by an unauthenticated attacker to run their own SQL queries and obtain sensitive data. The flaw is tracked as CVE-2021-24340 and was given a CVSS severity score of 7.5 out of 10.
The function was intended only to be used by administrators and prevents information from being displayed to any non-administrator users; however, the researchers found that the constructor of the page could be loaded by sending a request to wp-admin/admin.php with the page parameters set to wps_pages_page and, since the SQL query ran in the constructor for the Pages page, any site visitor could cause an SQL query to run, even if they are not logged in. An attacker could therefore provide malicious values for the ID or type parameter.
The researchers explained that this is a time-based blind SQL injection vulnerability which involves sending requests to the database that guess the content of a database table, then instruct the database to delay the response if the guess is not correct. An attacker could try to obtain the email address of an administrator by running a query of the first letter of the email address – an A for instance – and delay the response if the guess is not correct and repeat until the correct value is obtained. This approach would allow an attacker to deduce the email address, albeit very slowly.
The researchers explained that this approach would not be practical for extracting large amounts of data, but would be useful to obtain administrator email addresses, password hashes, or encryption keys and salts. While slow, the process could be automated, and the required information could be extracted within a couple of hours.
“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” explained the researchers, who said exploiting the vulnerability to extract sensitive information is trivial.
While an attack could be time-consuming, exploitation is trivial and an attacker could extract sensitive data such as usernames, passwords, and credit card info. The vulnerability has been fixed in version 13.0.8 of the plugin. All users of the plugin should update to the latest version as soon as possible to prevent exploitation.