A critical vulnerability was discovered by the Sucuri Team where older versions of WP Statistics plugin (prior to version 8.3.1) allows an attacker to use XSS (Stored Cross Site Scripting and and Reflected XSS attack) vectors to force a victim’s browser to perform administrative tasks on its behalf. In other words, the attacker can use this vulnerability to create a new admin account in your WordPress Account if you are using an older version of WP-Statistics Plugin.
This vulnerability is easy to exploit and can be done remotely. Fortunately, the team at Sucuri has not revealed the technical details yet – otherwise, all the script kiddies will have a field day scanning the millions of WordPress installations.
But briefly, this vulnerability arises because the plugin fails to properly sanitize the input data, which are controlled by the website’s visitors. If a skilled attacker inserts a malicious Javascript code in the affected parameter, it would be saved in the WordPress database and ‘printed as-is’ in the admin panel and cause the victim’s browser to perform the attack on its behalf, such as creating a new admin user where the attacker has access to.
If you are using this WP-Statistics Plugin, please upgrade immediately to prevent an attacker from wreaking havoc on your WordPress site.