WP Statistics Missing Authorization Vulnerability Allows Sensitive Data Access and Privacy Audit Manipulation

A vulnerability exists in the WP Statistics plugin for WordPress, affecting all versions up to and including 14.16.4. The issue stems from missing authorization checks in several AJAX handlers, which only validate a WordPress REST API nonce but do not enforce any user capability requirements. This oversight enables authenticated users with Subscriber-level access and above to access confidential analytics information, including user IDs, usernames, emails, and visitor tracking data. Additionally, these users can retrieve and alter privacy audit compliance statuses and dismiss administrative notices.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive analytics data, including user identifiers and tracking information. It also enables manipulation of privacy audit statuses and administrative notices.

Reproduction

The vulnerability can be reproduced by sending an AJAX request to one of the affected endpoints, such as 'wp_statistics_getPrivacyStatus' or 'wp_statistics_updatePrivacyStatus', while including a valid 'wp_rest' nonce. This can be done using a tool like Postman or through custom JavaScript code that interacts with the WordPress REST API. The absence of proper capability checks allows the request to be processed, exposing or modifying the targeted privacy data.

Remediation

Users are advised to update the WP Statistics plugin to version 14.16.5 or a later patched version.