SQL Injection in WordPress plugin WP statistics

A new SQL Injection vulnerability is discovered in popular WordPress plugin WP statistics known to be used by nearly 300,000+ websites caused by the lack of sanitization in the user input allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website’s database and possibly gain unauthorized access to websites.

According to a blog published by Sucuri, WordPress provides an API that enables developers to create content that users can inject to certain pages just using a simple shortcode:

[shortcode atts_1=”test” atts_2=”test”]

Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:


As you can see on the above image, some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this shouldn’t be a problem if those parameters were sanitized, but as we’ll see this is not the case.

One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().

This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes.

In a number places in the code, user input coming from attributes of the wpstatistics shortcode are included in SQL queries without being sanitized. Below one of the queries that were exploitable:


The wp_statistics_searchengine_query() basically returns the same value as the one passed in the shortcode attribute provider and its content is added directly to the raw SQL query

To prevent this vulnerability update the plugin ASAP or deploy a firewall.

Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s