The WP Statistics WordPress plugin, a popular tool for tracking website analytics and visitor statistics in WordPress, was recently found to have an unauthenticated SQL injection vulnerability in certain versions. This post will provide an in-depth look at this vulnerability, designated CVE-2022-25149, including the affected versions, code snippets, original references, and exploit details.
Background
WP Statistics is a widely-used plugin for WordPress websites, providing site administrators with valuable insights into visitor behavior and site performance. Unfortunately, versions up to and including 13.1.5 of the plugin contain a serious security flaw that could allow an attacker without authentication to inject arbitrary SQL queries and obtain sensitive information from the website's database.
Vulnerability Details
The vulnerability lies in the insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file. Attackers could exploit this vulnerability to perform SQL injection attacks and gain unauthorized access to sensitive information, potentially leading to further compromise of the website and its data.
Within the ~/includes/class-wp-statistics-hits.php file, the vulnerable code can be seen below
public function record_hit() {
...
$ip = $this->get_IP();
...
$result = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}statistics_visitor WHERE last_counter = '{$current_date}' AND ip = '{$ip}'", ARRAY_A);
}
As seen in the code snippet above, the $ip variable, which represents the visitor's IP address, is not properly escaped or parameterized when included in the SQL query. This oversight allows an attacker to manipulate the query through the unverified IP parameter.
Affected Versions
The vulnerability affects the WP Statistics WordPress plugin in versions up to and including 13.1.5.
Exploit Details
To exploit this vulnerability, an attacker simply needs to modify their IP address in the HTTP request headers when interacting with a vulnerable website running the WP Statistics plugin. By injecting malicious SQL code into their IP address, an attacker can manipulate the query, allowing them to retrieve sensitive information without authentication.
Original References
The vulnerability was first disclosed by researchers at Wordfence, who posted a detailed analysis of the issue on their blog. An official CVE has been assigned (CVE-2022-25149), and additional information can be found in the following resources:
1. Wordfence blog post: https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wp-statistics/
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25149
Mitigation & Recommendations
Website administrators who are using the WP Statistics plugin on their WordPress sites should immediately update to version 13.1.6 or later, which contains a patch for this vulnerability. In addition, it's important to follow security best practices for WordPress, such as maintaining strong and unique passwords, keeping all plugins and themes up-to-date, and implementing additional security measures like two-factor authentication and web application firewalls.
Conclusion
CVE-2022-25149 is a serious unauthenticated SQL injection vulnerability affecting the WP Statistics WordPress plugin (<=13.1.5). By exploiting this vulnerability, attackers can obtain sensitive information without authentication, potentially compromising both user data and website integrity. Website administrators should update the plugin to a patched version immediately and follow proper security measures to prevent future attacks.
Timeline
Published on: 02/24/2022 19:15:00 UTC
Last modified on: 03/03/2022 18:12:00 UTC