WordPress plugin WP Statistics has patched a cross-site scripting (XSS) vulnerability that could allow for full website takeover, if the website is operating under certain non-default settings.

WP Statistics gives website owners a tool to analyze site statistics, such as the number of visitors on the site, which browsers visitors are using, and more. The plugin is made by VeronaLabs and has more than 500,000 active installations.

The unauthenticated stored XSS flaw exists in a feature of the plugin that allows a website to use a header to find the site visitors’ IP addresses. XSS can be a serious vulnerability that can enable attackers to inject client-side scripts into web pages, which could be viewed by other users. However, it is important to note that this vulnerability can only be exploited when the impacted website uses specific configurations that are not default – meaning that default settings are not vulnerable, said researchers with Sucuri who discovered the flaw.

“Certain types of information might seem safe, such as the visitor’s IP address, but in reality aren’t always what you expect,” said Antony Garand, security vulnerability researcher at Sucuri, in a Wednesday analysis. “Due to certain assumptions from the developers, it is possible for visitors to inject malicious code on administrative pages, leading to a full website takeover.”

Versions of the plugin before 12.6.7 are vulnerable to the unauthenticated stored cross-site scripting vulnerability; a patch has been issued in version 12.6.7 that addresses the flaw. Researchers said that they made initial contact with the developer regarding the flaw on June 26, 2019. The patch was released on July 1.

IP Address Abuse

The vulnerability stems from the plugin failing to sanitize or validate users’ IP address when it uses a header to identify their IP address – allowing a bad actor to potentially inject websites with malicious code.

By default, websites using the plugin can easily find visitors’ IP addresses; but, when websites running the plugin are utilizing a firewall, the user IP contacts that firewall before contacting the website.

That means the website does not know what the original user’s IP address is before it contacted the firewall; to remedy this, the firewall adds a header that contains the users’ original IP, allowing the site to identify the original user.

However, due to lack of IP validation in the plugin, an attacker could abuse this function by emitting a forwarded IP. As a result, the plugin fails to validate the IP, allowing attackers to inject malicious JavaScript code as their own IP, which will be stored and executed on administrative pages.

“Since the default value of the IP addresses is the header value and it isn’t sanitized or validated with the FILTER_VALIDATE_IP method, it will be stored as-is if there are not multiple IP addresses in the header,” researchers said.

Specific Settings

There are several roadblocks that an attacker must overcome to abuse this flaw. First of all, a website is only vulnerable when the plugin uses a header to identify the IP address of the visitor. The website must also use a bypassable firewall (meaning the website must be configured to accept connections from everyone, and not only the ones forwarded by a firewall).

Under these circumstances an attacker could emit a forwarded IP: “The common component of these two settings is the forwarded value being fully controlled by the attacker,” researchers said.

Researchers urged plugin users to update to the patched version: “To protect against this vulnerability, we strongly encourage users to update the plugin to version 12.6.7 as soon as possible,” they said.