Cyber Security Researcher Cyku Hong from the Taiwan-based company DEVCORE has found a serious security vulnerability in the WordPress plugin WP Statistics. This plugin is installed on over 600,000 websites and the flaw makes it possible for an attacker to conduct an SQL-injection attack.
The SQL-injection attack can be used to read sensitive information such as users and passwords from the WordPress user database. This vulnerability has been assigned CVE-2022-0513 and has a CVSS Score of 9.8 (Critical).
But we have some great news: the vulnerability can only be used if “Record Exclusions” feature is enabled. The vulnerable endpoint is located in the WordPress JSON-API interface at: /wp-json/wp-statistics/v2/hit
The argument exclusion_reason is user supplied and can be used to trigger the SQL-injection. In normal circumstances the nonce would be needed but since is_rest_request() is returning true if $_SERVER[‘REQUEST_URI’] contains the wp-json prefix.
We recommend to scan your website for vulnerabilities using WPSec and upgrade to the latest plugin version which is 13.1.5.
The vulnerable function can be found below and the MySQL-query $wpdb->query:
public static function record($exclusion = array())
{
global $wpdb;
// If we're not storing exclusions, just return.
if (self::record_active() != true) {
return;
}
// Check Exist this Exclusion in this day
$result = $wpdb->query("UPDATE " . DB::table('exclusions') . " SET `count` = `count` + 1 WHERE `date` = '" . TimeZone::getCurrentDate('Y-m-d') . "' AND `reason` = '{$exclusion['exclusion_reason']}'");
if (!$result) {
$insert = $wpdb->insert(
DB::table('exclusions'),
array(
'date' => TimeZone::getCurrentDate('Y-m-d'),
'reason' => $exclusion['exclusion_reason'],
'count' => 1,
)
);
if (!$insert) {
if (!empty($wpdb->last_error)) {
\WP_Statistics::log($wpdb->last_error);
}
}