CVE-2022-0513
Summary
| CVE | CVE-2022-0513 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-02-16 17:15:00 UTC |
| Updated | 2022-02-24 19:33:00 UTC |
| Description | The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Veronalabs | Wp Statistics | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 403 Forbidden | MISC | plugins.trac.wordpress.org | Patch, Third Party Advisory |
| Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin | MISC | www.wordfence.com | Exploit, Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Cyku Hong from DEVCORE
There are currently no legacy QID mappings associated with this CVE.