CVE-2024-2194: WP Statistics Flaw Opens 600K+ WordPress Sites to Attack

Wordfence, a leading authority in WordPress security warns about a serious vulnerability in the widely used WP Statistics plugin. This vulnerability (CVE-2024-2194) allows attackers to inject malicious code directly into a WordPress website, putting sensitive data and site functionality at risk.

What is WP Statistics?

WP Statistics is a popular plugin used on over 600,000 WordPress websites. It provides site owners with valuable information about their visitors, including traffic patterns, search engine referrals, and popular content.

The Nature of the Threat

Identified as CVE-2024-2194 with a CVSS score of 7.2, this vulnerability is classified as a stored cross-site scripting (XSS) issue that can be exploited via the URL search parameter. This flaw allows attackers to inject harmful web scripts into a site’s pages, which are then executed every time a user loads these compromised pages.

Cross-site scripting attacks abuse the trust between a website and its users. By injecting malicious code, attackers force legitimate pages to execute harmful commands. This can lead to data theft and site compromises that impact every visitor.

Why It’s Dangerous

• Wide Impact: With over 600,000 active installations, a large number of websites could be vulnerable.
• No Login Required: Exploiting this flaw does not require an attacker to have an existing account on the targeted website. This significantly lowers the barrier to entry for attacks.
• Far-Reaching Consequences: XSS attacks can be used to steal login credentials, redirect visitors to dangerous sites, insert backdoors for further exploitation, or even create unauthorized administrative accounts.

Protect Yourself – Take Action Now

1. Update Immediately: Despite the urgency of the situation, a significant portion of the WP Statistics user base remains vulnerable. According to data from WordPress, the plugin has been downloaded approximately 156,000 times in the past five days alone, indicating that a large number of sites have yet to apply the necessary updates to mitigate this vulnerability. If you use the WP Statistics plugin, update it to the latest patched version as soon as possible. Do not delay.
2. Spread the Word: Share this information with other WordPress site owners – they may be unknowingly at risk.
3. Be Vigilant About Updates: Vulnerabilities in plugins are common. Make it a habit to apply updates promptly for all plugins and themes on your WordPress site.