WP Statistics WordPress Plugin Patches CSRF Vulnerability


America Authorities Nationwide Vulnerability Database (NVD) revealed an advisory a couple of vulnerability found within the WP Statistics WordPress plugin that impacts as much as 600,000 energetic installations.

The vulnerability was assigned a medium menace stage rating of 6.5 out of a scale of 1 to 10, with stage 10 representing essentially the most extreme vulnerability stage.

WP Statistics Cross-Web site Request Forgery (CSRF)

The WP Statistics plugin was discovered to include a Cross-Web site Request Forgery vulnerability that might permit an attacker to compromise an internet site by activating or deactivating plugins.

A Cross-Web site Request Forgery is an assault that requires a registered web site consumer (similar to an administrator) to carry out an motion like a clicking a hyperlink, which then permits an attacker to make the most of a safety hole.

The safety hole on this occasion is a “lacking or incorrect nonce validation.”

A WordPress nonce is a safety token that’s offered to a registered consumer that enables that consumer to securely carry out actions that solely a registered consumer can do.

The WordPress developer pages explains the nonce with the instance of an administrator deleting a put up.


WordPress would possibly generate a URL like this when an administrator stage consumer deletes a put up.

Under is hypothetical instance of a URL generated when deleting a put up with an ID variety of 123:

http://instance.com/wp-admin/put up.php?put up=123&motion=trash

A registered WordPress web site admin would choose up a nonce and the URL, within the instance, could appear like this:

http://instance.com/wp-admin/put up.php?put up=123&motion=trash&_wpnonce=b192fc4204

That final half, &_wpnonce=b192fc4204, is the nonce.

So, what’s taking place is that the nonce is both lacking or not correctly validated inside the WP Statistics plugin and that creates a safety hole for a malicious hacker to use.

The Nationwide Vulnerability Database (NVD) explains it like this:

“The WP Statistics plugin for WordPress is weak to Cross-Web site Request Forgery in variations as much as, and together with, 13.1.1. This is because of lacking or incorrect nonce validation on the view() perform.

This makes it attainable for unauthenticated attackers to activate and deactivate arbitrary plugins, through a cast request granted they will trick a web site administrator into performing an motion similar to clicking on a hyperlink.”

CSRF Vulnerability Patch

WP Statistics plugin vulnerability impacts model as much as an together with 13.1.1. Nonetheless there have been quite a few safety fixes added since then, together with in model 13.2.11, plus extra fixes after that.

The present model of the plugin is 14.0.1. Right now solely 29.3% of customers are utilizing the hottest model.

WP Statistics WordPress Plugin Patches CSRF Vulnerability


Customers of the outdated model of the plugin could need to think about updating to the most recent model.

Learn the NVD safety advisory:

CVE-2021-4333 Element

Featured picture by Shutterstock/Asier Romero


Scroll to Top