CVE-2022-0513

CRITICAL

WP Statistics <13.1.4 - SQL Injection

Title source: llm
STIX 2.1

Description

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.

Scores

CVSS v3 9.8
EPSS 0.5346
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
veronalabs/wp_statistics < 13.1.4
Published Feb 16, 2022
Tracked Since Feb 18, 2026