How to remediate – SRS Simple Hits Counter Plugin for WordPress SQL Injection

Contents

1. Introduction

SRS Simple Hits Counter Plugin for WordPress SQL Injection is a flaw in the plugin’s code that allows an attacker to inject malicious SQL commands. This could allow them to access, modify, or delete data from your website’s database. Websites using this plugin are at risk. A successful attack could compromise confidentiality, integrity and availability of the WordPress site.

2. Technical Explanation

The SRS Simple Hits Counter Plugin is vulnerable to SQL injection due to insufficient input validation when handling user-supplied data. An attacker can send crafted requests containing SQL code that will be executed by the database server. The scanner relied on self-reported version numbers and did not perform active testing. CVE-2020-5766 describes this vulnerability.

Root cause: Missing input validation in the plugin allows arbitrary SQL commands to be injected into database queries.
Exploit mechanism: An attacker can manipulate URL parameters or form inputs to include malicious SQL code, which is then executed by the WordPress database server. For example, a crafted request could bypass authentication checks.
Scope: Affects installations of SRS Simple Hits Counter Plugin for WordPress.

3. Detection and Assessment

You can confirm if your system is vulnerable by checking the plugin version and looking for evidence of exploitation attempts in logs.

Quick checks: Check the installed plugins list within the WordPress admin interface to see if SRS Simple Hits Counter Plugin is present, along with its version number.
Scanning: Nessus or other vulnerability scanners may identify this issue using plugin-specific signatures.
Logs and evidence: Examine WordPress error logs for SQL errors related to the plugin. Look for unusual database activity in server logs.

wp plugin list | grep srs-simple-hits-counter

4. Solution / Remediation Steps

The recommended solution is to remove the vulnerable plugin.

4.1 Preparation

No services need to be stopped for this action, but consider a maintenance window if you have high traffic. A roll back plan involves restoring the backup if issues occur.
Changes should be approved by a senior administrator or security team member.

4.2 Implementation

Step 1: Log in to your WordPress admin interface as an administrator.
Step 2: Navigate to the “Plugins” section.
Step 3: Locate SRS Simple Hits Counter Plugin and click “Deactivate”.
Step 4: Click “Delete” to remove the plugin completely from your server.

4.3 Config or Code Example

No config changes are needed, as this involves removing the plugin.

Before

SRS Simple Hits Counter Plugin is installed and active.

After

SRS Simple Hits Counter Plugin is not present in the plugins list.

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

Practice 1: Least privilege – limit database user permissions to only what’s needed by each application component, reducing the impact if an injection attack succeeds.

4.5 Automation (Optional)

Automated removal is possible via WP-CLI, but requires careful testing.

wp plugin deactivate srs-simple-hits-counter --activate=0 && wp plugin delete srs-simple-hits-counter

5. Verification / Validation

Confirm the fix by checking that the plugin is removed and retesting for the vulnerability.

Post-fix check: Run `wp plugin list` and confirm SRS Simple Hits Counter Plugin is not listed.
Re-test: Repeat the steps in section 3 to verify the plugin is no longer present.
Monitoring: Monitor WordPress error logs for any errors related to missing plugin files or functions.

wp plugin list | grep srs-simple-hits-counter # Should return no results

6. Preventive Measures and Monitoring

Regular security practices can help prevent similar vulnerabilities.

Baselines: Update your WordPress baseline to exclude known vulnerable plugins like SRS Simple Hits Counter Plugin.
Pipelines: Implement Static Application Security Testing (SAST) in your CI/CD pipeline to identify potential SQL injection flaws during development.
Asset and patch process: Review installed plugins regularly and apply updates promptly.

7. Risks, Side Effects, and Roll Back

Removing the plugin may break functionality if other parts of your site rely on it.

Risk or side effect 1: Removing the plugin could cause errors if other plugins or themes depend on its functions.
Risk or side effect 2: Loss of hit counter data if no alternative tracking mechanism is in place.
Roll back: Restore your WordPress database and files from the backup created in step 4.1. Re-install SRS Simple Hits Counter Plugin (if necessary) and verify functionality.

8. References and Resources

Links to official resources about this vulnerability.

Vendor advisory or bulletin: https://wordpress.org/plugins/srs-simple-hits-counter/
NVD or CVE entry: CVE-2020-5766
Product or platform documentation relevant to the fix: https://www.tenable.com/security/research/tra-2020-42

Updated on December 27, 2025

Was this article helpful?

Yes No