CVE-2022-0513 CRITICAL

CVE-2022-0513: WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason

Vendor Veronalabs

Product WP Statistics

Weakness CWE-89 · SQLi

Published February 16, 2022

Last update February 10, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.

Key dates

02Disclosure timeline

February 16, 2022 CVE published

February 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-0513 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2022-0513: WP Statistics <= 13.1.4 Unauthenticated Blind SQL Injection via exclusion_reason

01Description

02Disclosure timeline

03References

04Related CVE