Visitor Information Disclosure in wp-statistics
2021-07-13 01:05:00 Author: fyr.io(查看原文) 阅读量:71 收藏

Just noticed this and when Googling it has been picked up already, so this isn’t new, but the wp-statistics module (v13.0.8 for sure but likely others too. Will edit this when I have done some more research) seems to be logging information into the “wp-statistics.log” file in the root directory of the site it is installed on. You can therefore access it and read the IP addresses of visitors to a site if they have the addon enabled by visiting domain.tld/wp-statistics.log

You can block external access to it in the .htaccess file via:

<Files "wp-statistics.log">  
  Require all denied
</Files>

Hopefully they fix this soon, preferably by moving this file into the plugin folder and securing it.


文章来源: https://fyr.io/2021/07/12/visitor-information-disclosure-in-wp-statistics/
如有侵权请联系:admin#unsafe.sh