The vulnerability resides with wp_statistics_searchengine_query() in file functions.php, which is an AJAX functionality. It is caused by the absence of sanitization in user-provided data. Wpstatistics resolved the issue and released a fix for the vulnerability with the version (12.0.8). Users are recommended to update as soon as possible. You can update from Dashboard >> Updates >> Update Now or through Plugins >> Installed plugins.”]
Source: https://gbhackers.com/wordpress-visitor-statistics-plugin-found-vulnerable-for-sql-injection/