WordPress plugin which has been installed on 300,000+ websites around the world has been found to have a “severe” SQL injection vulnerability.
Security firm Sucuri were auditing popular open source projects when they came across the vulnerability in the WordPress plugin WP Statistics. If properly exploited, attackers could use the vulnerability to steal website databases and even hijack websites remotely.
WordPress is the world’s most popular content management system (CMS) used by 60-million websites and a little over a quarter of the top 10-million websites. The WP Statistics plugin is installed on over 300,000 websites and is also a popular plugin for obtaining website visitor statistics.
RELATED ARTICLE: Hacked In Translation: Streaming movies isn’t safe as you think
The vulnerability stems from data not being properly sanitised, the researchers note, resulting in “some attributes of the shortcode, wpstatistics, are being passed as parameters for important functions.” SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database. Because the function doesn’t check for additional privileges, basic subscribers are permitted to execute the short code and inject malicious codes to its attributes.
An example of exploiting the vulnerability would be if the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.
RELATED ARTICLE: WordPress Admins Warned To Be Cautious About Potential Hack
Although we are happy to report that the vulnerability has since been patched if you are still running an older version of the plugin you may still be vulnerable. It is recommended to also update your version of WordPress.
About IntelliTeK Pty Ltd
IntelliTeK is a managed IT services company in Sydney, Australia. With major vendor relationships and accreditation’s from the worlds leading IT companies including WatchGuard, Microsoft, Trend Micro and Amazon Web Services, IntelliTeK have kept clients happy since 2007.
IntelliTeK are always up to date with the latest cloud backup solutions which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at email@example.com, fill out the web form, or have a Live Chat with us below.