The plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information.
CPE | Name | Operator | Version |
---|---|---|---|
wp-statistics | lt | 13.1.6 |