WordPress Plugin Vulnerabilities

WP Statistics < 13.1.6 - Unauthenticated Blind SQL Injection via current_page_type

Description

The is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information

Affects Plugins

Plugin icon
wp-statistics
Fixed in 13.1.6

References

CVE
CVE-2022-0651
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Muhammad Zeeshan (Xib3rR4dAr)
Verified
Yes
WPVDB ID
da5b5669-7476-47ae-9de0-d398ca408f2f

Timeline

Publicly Published
2022-02-16 (about 4 years ago)
Added
2022-02-17 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2017-08-05
Title
rk-responsive-contact-form 1.0 - Authenticated Blind SQL Injection
Published
2025-09-08
Title
ZIP Code Based Content Protection < 1.0.1 - Authenticated (Administrator+) SQL Injection
Published
2017-08-14
Title
Link-Library <= 5.9.13.26 – Authenticated SQL Injection
Published
2024-02-07
Title
WP Recipe Maker < 9.2.0 - Missing Authorization to Authenticated (Subscriber+) SQL Injecton
Published
2021-10-18
Title
Email Log < 2.4.7 - Admin+ SQL Injection