CVE-2022-0651 CRITICAL

CVE-2022-0651: WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_type

Vendor Wp Statistics

Product WP Statistics

Weakness CWE-89 · SQLi

Published February 24, 2022

Last update January 31, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.

Key dates

02Disclosure timeline

February 24, 2022 CVE published

January 31, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-0651 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2022-0651: WP Statistics <= 13.1.5 Unauthenticated Blind SQL Injection via current_page_type

01Description

02Disclosure timeline

03References

04Related CVE