The Wordfence Threat Intelligence team discovered and reported a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites.
The vulnerability allowed any site visitor to extract sensitive information from a site’s database via Time-Based Blind SQL Injection.
We received a response to our initial disclosure the same day, on March 13, 2021, and sent the full disclosure to the plugin’s developers at VeronaLabs. A patch for this vulnerability was released on March 25, 2021.
Source: https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/