The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/a0e40cfd-b217-481c-8fc4-027a0a023312 | Exploit Third Party Advisory |
https://wpscan.com/vulnerability/a0e40cfd-b217-481c-8fc4-027a0a023312 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 07:34
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-01-23 15:15
Updated : 2024-11-21 07:34
NVD link : CVE-2022-4230
Mitre link : CVE-2022-4230
CVE.ORG link : CVE-2022-4230
JSON object : View
Products Affected
veronalabs
- wp_statistics
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')