WordPress

WP Statistics WordPress Plugin Addresses CSRF Vulnerability

Photo of SEO SEO Send an email October 1, 2024
0 5 2 minutes read

The United States Government National Vulnerability Database (NVD) has issued an advisory regarding a vulnerability detected in the WP Statistics WordPress plugin, which impacts up to 600,000 active installations.

This vulnerability has been assigned a medium threat level score of 6.5 on a scale of 1 to 10, with 10 representing the most severe level of vulnerability.

WP Statistics Cross-Site Request Forgery (CSRF)

The WP Statistics plugin contains a Cross-Site Request Forgery vulnerability that can allow an attacker to compromise a website by activating or deactivating plugins.

Cross-Site Request Forgery is an attack that requires a registered website user (such as an administrator) to perform an action like clicking a link, thereby enabling an attacker to exploit a security gap.

In this case, the security gap is due to "missing or incorrect nonce validation."

A WordPress nonce is a security token provided to a registered user, enabling them to securely perform actions that only a registered user can do. The WordPress developer pages give an example of an administrator deleting a post.

WordPress might generate a URL like this when an administrator level user deletes a post:

Below is a hypothetical URL generated when deleting a post with an ID number of 123:

http://example.com/wp-admin/post.php?post=123&action=trash

A registered WordPress site admin would pick up a nonce, and the URL, in this example, may look like this:

http://example.com/wp-admin/post.php?post=123&action=trash&_wpnonce=b192fc4204

The last part, &_wpnonce=b192fc4204, is the nonce.

In the WP Statistics plugin, the nonce is either missing or not properly validated, creating a security gap for a malicious hacker to exploit.

The National Vulnerability Database (NVD) explains it like this:

"The WP Statistics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 13.1.1. This is due to missing or incorrect nonce validation on the view() function. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link."

CSRF Vulnerability Patch

The WP Statistics plugin vulnerability affects versions up to and including 13.1.1. However, numerous security fixes have been added since then, including in version 13.2.11, along with additional fixes afterward.

The current version of the plugin is 14.0.1. At present, only 29.3% of users are using the latest version.

Users of the outdated version of the plugin are advised to consider updating to the latest version.

Read the NVD security advisory:

CVE-2021-4333 Detail

Featured image by Shutterstock/Asier Romero

Photo of SEO SEO Send an email October 1, 2024
0 5 2 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button