Vulnerability Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | <= 13.1.5 |
Related Weaknesses (CWE)
References
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651Third Party Advisory
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651Third Party Advisory
FAQ
What is CVE-2022-0651?
CVE-2022-0651 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits....
How severe is CVE-2022-0651?
CVE-2022-0651 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-0651?
Check the references section above for vendor advisories and patch information. Affected products include: Veronalabs Wp Statistics.