CVE-2022-0513

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
Configurations

Configuration 1 (hide)

cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 06:38

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php - Patch, Third Party Advisory () https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php - Patch, Third Party Advisory
References () https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/ - Exploit, Patch, Third Party Advisory () https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/ - Exploit, Patch, Third Party Advisory
CVSS v2 : 4.3
v3 : 7.5
v2 : 4.3
v3 : 9.8

24 Feb 2022, 19:33

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 7.5
CWE CWE-89
CPE cpe:2.3:a:veronalabs:wp_statistics:*:*:*:*:*:wordpress:*:*
References (MISC) https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/ - (MISC) https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/ - Exploit, Patch, Third Party Advisory
References (MISC) https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php - (MISC) https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php - Patch, Third Party Advisory

16 Feb 2022, 18:00

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-16 17:15

Updated : 2024-11-21 06:38


NVD link : CVE-2022-0513

Mitre link : CVE-2022-0513

CVE.ORG link : CVE-2022-0513


JSON object : View

Products Affected

veronalabs

  • wp_statistics
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')