The changelog entry for the latest version of Visitors Traffic Real Time Statistics is “CSRF bug fixing in settings page (prevent SQL injection) – reported by Mr. Paul”. Looking at the changes made we didn’t see any change made to fix a cross-site request forgery (CSRF) vulnerability, but did see a SQL statement was changed to prepared statement, which would prevent the possibility of SQL injection. Further checking showed that there is still a CSRF vulnerability that can be used to change the plugin’s settings. We notified of the developer of that yesterday, but so far we have not heard back from them and the issue hasn’t been resolved.

…

[Read more]