Many of WordPress’ security holes come from insecure plugins
Many of WordPress’ security holes come from insecure plugins

A “severe” SQL injection vulnerability has been found in the popular WordPress plugin WordPress Statistics.

 Sucuri researchers discovered the vulnerability while security auditing popular open source products. If properly exploited, the vulnerability could be used to steal data.

WordPress allows developers to make content that can be injected into pages using a shortcode. This becomes a problem with the WP Statistics shortcode.

The vulnerability stems from data not being properly sanitised, the researchers note, resulting in “some attributes of the shortcode, wpstatistics, are being passed as parameters for important functions.”

Sucuri encourages users to update without delay if they are using a vulnerable version of WP Statistics.

WordPress is an immensely popular CMS, used by 60 million websites and 27.5 percent of the top 10 million websites. WordPress Statistics alone is currently installed on over 300,000 websites.

Still, this is far from the first time WordPress has been found with vulnerabilities. In fact, plenty of security issues have been found in the platform. In February, WordPress secretly patched a bug that would allow unauthenticated privilege escalation in WordPress REST API.

Nor is it the first time that a vulnerable plugin has provided a route into WordPress. In 2013, CheckMarx released a report showing that 20 percent of WordPress plugins and seven of the top 10 ecommerce plugins were vulnerable to basic web attacks.  

If an attacker were to find a list of plugins that a site uses, they could simply run a scan for known vulnerabilities in those plugins. Most recently, researchers found a “severe” SQL injection vulnerability in the gallery management plugin, NextGEN Gallery.

Amit Ashbel, cyber-security evangelist at Checkmarx, told SC Media UK that the popularity of the platform endures in spite of those holes: “Multiple large scale enterprises and SMBs use WordPress because it really does simplify managing and maintaining a web application. The real power of WordPress are its thousands of plugins which are developed by third parties and are there to provide additional functionality.”

Rather, these vulnerabilities are emblematic of a larger issue, said Ashbel: “The problem is no different than with other application companies and is very often related to trading off security in order to release in time and be first to market. I believe that with WordPress the problem is more acute because we are talking about hundreds if not thousands of ‘small' applications that are not properly vetted before made available.”