Wordfence team discovered a vulnerability in WP Statistics, allowing any site visitor to extract sensitive information from a site’s database via Time-Based Blind SQL Injection. WP Statistics is a WordPress plugin that allows site owners to see detailed statistics about visitors to their site, including which pages on the site they visit. It is installed on over 600,000 WordPress sites.
Time-based blind SQL injection
While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page. Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.
“Exfiltrating information would be a relatively slow process, and it would be impractical to use it to extract bulk records, but high-value information such as user emails, password hashes, and encryption keys and salts could be extracted in a matter of hours with the help of automated tools such as sqlmap. In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” according to Wordfence.
“Fortunately, all sites running Wordfence, including those using Wordfence Premium as well as the free version, are protected against this vulnerability by the Wordfence firewall’s built-in SQL injection protection. This built-in protection blocks most SQL injection attempts even if a vulnerability is not yet known” said the researchers.