Description
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerability-patched-in-wordpress-statistics-plugin/
Patch, Third Party Advisory x_refsource_misc
https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php
Scores
CVSS v3
9.8
EPSS
0.5346
EPSS Percentile
98.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
veronalabs/wp_statistics
< 13.1.4
Published
Feb 16, 2022
Tracked Since
Feb 18, 2026