WordPress plugin WP Statistics has patched a cross-site scripting (XSS) vulnerability that could allow for full website takeover, if the website is operating under certain non-default settings.
WP Statistics gives website owners a tool to analyze site statistics, such as the number of visitors on the site, which browsers visitors are using, and more. The
plugin is made by VeronaLabs and has more than 500,000 active installations.
The unauthenticated stored XSS flaw exists in a feature of the plugin that allows a website to use a header to find the site visitors’ IP addresses. XSS can be a serious vulnerability that can enable attackers to inject client-side scripts into web pages, which could be viewed by other users. However, it is important to note that this vulnerability can only be exploited when the impacted website uses specific configurations that are not default – meaning that default settings are not vulnerable, said researchers with Sucuri
who discovered the flaw.
“Certain types of information might seem safe, such as the visitor’s IP address, but in reality aren’t always what you expect,” said Antony Garand, security vulnerability researcher at Sucuri, in a Wednesday analysis. “Due to certain assumptions from the developers, it is possible for visitors to inject malicious code on administrative pages, leading to a full website takeover.”
Versions of the plugin before 12.6.7 are vulnerable to the unauthenticated stored cross-site scripting vulnerability; a patch has been issued in version 12.6.7 that addresses the flaw. Researchers said that they made initial contact with the developer regarding the flaw on June 26, 2019. The patch was released on July 1.
