Visitor Information Disclosure In Wp-statistics

Visitor Information Disclosure in wp-statistics

Posted on Monday 12th of July 2021 at 00:00

Just noticed this and when Googling it has been picked up already, so this isn't new, but the wp-statistics module (v13.0.8 for sure but likely other versions too) seems to be logging information into the “wp-statistics.log” file in the root directory of the site it is installed on. You can therefore access it and in some cases read the IP addresses of visitors to a site if they have the addon enabled by visiting domain.tld/wp-statistics.log.

You can block external access to it in the .htaccess file via:

<Files "wp-statistics.log">
Require all denied
</Files>

I've logged an issue on their github page, ~~hopefully they fix this soon~~ 2021-07-22: a fix will be pushed out this weekend according to the latest update on the issue.

A quick google dork will show up a fair number of affected sites, including some... potentially embarrassing ones.