AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
The Track The Click plugin is vulnerable to time-based SQL Injection. Wordfence cybersecurity researchers: The versions involved are up to, and including, 0.3.11. The issue has been completely fixed in 0.3.12
The WordPress Track The Click plugin is vulnerable to time-based SQL Injection in versions up to, and including, 0.3.11. Wordfence cybersecurity researchers denounce it. This, due to insufficient escaping on user supplied data submitted via the ‘stats’ REST endpoint and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with author-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. However, the issue was partially fixed in version 0.3.11 and completely fixed in 0.3.12.