CVE-2026-22850 HIGH

CVE-2026-22850: Koko Analytics vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import

Vendor Ibericode
Product koko-analytics
Weakness CWE-89 · SQLi
Published January 19, 2026
Last update January 20, 2026

CVSS base score

8.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue.

Explanation of Vulnerability in Simple Terms

02Summary

Koko Analytics versions before 2.1.3 contain a SQL injection vulnerability in query handling. An attacker can craft a malicious link that, when clicked by a site administrator, executes arbitrary SQL commands against the database. This can lead to unauthorized data access, modification, or deletion. Update to version 2.1.3 or later immediately.

What an attacker can do

03Attacker Capabilities

Execute arbitrary SQL commands to read, modify, or delete database records.

Potential impact on your site

04Site Impact

Database contents can be exposed, altered, or destroyed if an admin visits an attacker-controlled link.

Conditions required to exploit

05Prerequisites

Attacker must trick a site administrator into clicking a malicious link.

Key dates

06Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated