Vulnerability Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veronalabs | Wp Statistics | <= 13.1.5 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-IExploitThird Party AdvisoryVDB Entry
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25148Third Party Advisory
- http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-IExploitThird Party AdvisoryVDB Entry
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatchThird Party Advisory
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25148Third Party Advisory
FAQ
What is CVE-2022-25148?
CVE-2022-25148 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.ph...
How severe is CVE-2022-25148?
CVE-2022-25148 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-25148?
Check the references section above for vendor advisories and patch information. Affected products include: Veronalabs Wp Statistics.