WordPress Plugin Vulnerabilities

WP Statistics <= 12.0.7 - Authenticated SQL Injection

Description

The WP Statistics WordPress plugin was affected by an Authenticated SQL Injection security vulnerability.

Affects Plugins

Plugin icon
wp-statistics
Fixed in 12.0.8

References

CVE
CVE-2017-18515
URL
https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.html
URL
https://plugins.trac.wordpress.org/changeset/1687774/wp-statistics

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
706b9d83-5970-41ae-a70e-bba2bcb35678

Timeline

Publicly Published
2017-06-30 (about 8 years ago)
Added
2017-07-01 (about 8 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-12-21
Title
JS Help Desk < 2.8.2 - Unauthenticated SQL Injection via email and trackingid
Published
2024-07-29
Title
SmartSearch WP <= 2.4.4 - Unauthenticated SQLi
Published
2025-11-07
Title
Traveler < 3.2.6 - Authenticated (Subscriber+) SQL Injection
Published
2016-11-12
Title
WP eCommerce <= 3.11.3 - SQL Injection in sessionid
Published
2024-03-28
Title
CRM Perks Forms < 1.1.5 - Unauthenticated SQL Injection