WordPress Plugin Vulnerabilities

WP Statistics < 13.2.11 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape some parameters before using them in SQL statements, leading to a SQL injection exploitable by users with a role as low as subscriber

Affects Plugins

Plugin icon
wp-statistics
Fixed in 13.2.11

References

CVE
CVE-2022-38074

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
0ec129a5-5290-447e-a0fe-c8a470b99343

Timeline

Publicly Published
2023-01-31 (about 3 years ago)
Added
2023-03-13 (about 2 years ago)
Last Updated
2023-03-13 (about 2 years ago)

Other

Published
Title
Published
2025-04-04
Title
Split Test For Elementor < 1.8.4 - Editor+ SQLi
Published
2024-02-20
Title
Fancy Product Designer < 6.1.5 - Admin+ SQL Injection
Published
2025-12-11
Title
WPNakama < 0.6.4 - Unauthenticated SQL Injection via 'order_by' Parameter
Published
2025-02-17
Title
Tour Master - Tour Booking, Travel, Hotel < 5.3.8 - Authenticated (Subscriber+) SQL Injection via review_id Parameter
Published
2025-10-23
Title
RapidResult < 1.3 - Authenticated (Contributor+) SQL Injection