Security update: WordPress plugin WP Statistics could leak password hashes

If the WP Statistics plug-in is used on a WordPress site, attackers could “critical” Fix the vulnerability (CVE-2022-0513) and access information that is actually isolated. An updated version can remedy this.

The plug-in collects GDPR-compliant statistics about website visitors and visualizes this data. According to the official plugin website, it has 600,000 active installations. Admins should ensure that the current Issue 13.1.5 is installed.

In a Wordfence post, the security researchers state that pages with the plug-in are only vulnerable if the record exclusion feature is active. In order not to falsify the statistics, you can specify, for example, that page views from admins are not counted.

However, this leads to errors and attackers could add their own SQL queries to existing queries and use them, for example, to extract password hashes from the database.


To home page