Login

Tag Archives: WP Statistics

27 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in WP Statistics

Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin WP Statistics: [Read more]

25 May 2022

600,000+ Install WordPress Plugin WP Statistics Isn’t Properly Securing Its Optimization Functionality

Yesterday the JVN released a vague report claiming that a cross-site scripting (XSS) vulnerability had been fixed in version 13.2.0 of the WordPress plugin WP Statistics. There isn’t enough information provided to confirm that there was a vulnerability or that it was fixed.

Confusingly, one of our competitors, Automattic’s WPScan, is citing that report as the source for a claim that a vulnerability was fixed in version 13.2.2 of the plugin: [Read more]

5 Jul 2019

Sucuri, WPScan, and Others Incorrectly Claim Persistent XSS Vulnerability in WordPress Plugin with 500,000+ Installs Has Been Fixed

Two days ago the web security company Sucuri disclosed a vulnerability in the very popular WordPress plugin, WP Statistics, which has 500,000+ active installations, and claimed it had been fixed. The post is fairly hard to follow and seems to mostly make a case that firewalls can introduce additional security risk, which is odd argument for a provider of a firewall to make.

Considering Sucuri’s recent track record of getting basic details wrong when it comes to WordPress plugin vulnerabilities, including claiming that vulnerability existed that didn’t and trashing a developer falsely, you can’t take their claims at face value. There post makes it hard to follow what exactly the issue is, but more importantly it neither provides a proof of concept or provides an explanation of how the vulnerability was supposed to have been fixed, so without doing additional work it isn’t possible to confirm if what they claimed is correct. [Read more]

7 Jun 2019

WPScan Vulnerability Database Leaving Those Relying on It Unaware of “Vulnerability” in Plugin With 500,000+ Installs

When it comes to getting data on vulnerabilities in WordPress plugins what we have noticed is that many sources are not using unique data, but instead reusing data from another source, often without letting people know what the true source is and never with a disclaimer about the quality issues that are inherent in that data source. That source is the WPScan Vulnerability Database, but recently we realized that they in fact are often just copying their data from yet another source. That source being the Common Vulnerabilities and Exposures (CVE) system. As we have more closely monitored that source recently we have noticed plenty of issues with it. This week we noticed something that wasn’t as much concern, but does present a worse picture of the WPScan Vulnerability Database.

Earlier this week CVE-2019-12566 was published, which involves a claimed stored XSS vulnerability in WP Statistics, which has 500,000+ installs according to wordpress.org. The summary for that is: [Read more]

1 Aug 2017

What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet): [Read more]

7 Jul 2017

Wordfence’s Lack of Understanding of SQL Injection Vulnerabilities Leads to False Claim About WP Statistics Vulnerability

Yesterday we touched on how the web security company Sucuri and others in the security community were overstating the threat of a vulnerability recently discovered by Sucuri in the plugin WP Statistics. While looking over something else related to that vulnerability we came across the web security company Wordfence using that vulnerability basically as an ad for their products and services, while reminding people that are actually knowledgeable  about web security that Wordfence really don’t have a good grasp of it.

Their post starts out: [Read more]

28 Apr 2017

Reflected Cross-Site Scripting (XSS) Vulnerability in WP Statistics

A couple of days ago we started to look into a series of releases (12.0.2-12.0.5) of the plugin WP Statistics that were indicated to have fixed cross-site scripting (XSS) vulnerabilities. While there were a couple of advisories put out related to this, those didn’t include the details needed to confirm that vulnerabilities had existed and had been fixed. When we started testing things out to figure out exactly what was going on, we accidentally ran across yet another XSS vulnerability, this time a reflected XSS vulnerability.

While that is a minor vulnerability, it probably isn’t the best sign of the security of that plugin that we could stumble on to yet another vulnerability. Considering that this is a plugin with 300,000+ active installs according to wordpress.org, it also isn’t a good sign as to the security of WordPress plugins in general. [Read more]