Vulnerabilities > CVE-2022-25148 - Unspecified vulnerability in Veronalabs WP Statistics
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
Vulnerable Configurations
References
- http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-Injection.html
- http://packetstormsecurity.com/files/174482/WordPress-WP-Statistics-13.1.5-SQL-Injection.html
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
- https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail=
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25148
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-25148