Login Sign Up

CVE-2022-0513

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites running the WP Statistics plugin with 'Record Exclusions' enabled. Attackers can extract sensitive database information including user credentials and site data. All WordPress sites using WP Statistics versions up to 13.1.4 are affected.

💻 Affected Systems

Products:
  • WP Statistics WordPress Plugin
Versions: Up to and including 13.1.4
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Requires 'Record Exclusions' option to be enabled in plugin settings.

📦 What is this software?

Wp Statistics by Veronalabs

View all CVEs affecting Wp Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, and potential site takeover via privilege escalation.

🟠

Likely Case

Extraction of sensitive user data, admin credentials, and potentially database manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via exclusion_reason parameter requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.1.5

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2671297/wp-statistics/trunk/includes/class-wp-statistics-hits.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Statistics and click 'Update Now'. 4. Verify version is 13.1.5 or higher.

🔧 Temporary Workarounds

Disable Record Exclusions

all

Temporarily disable the vulnerable feature until patching is possible.

Web Application Firewall Rule

all

Block requests containing SQL injection patterns targeting the exclusion_reason parameter.

🧯 If You Can't Patch

  • Disable the WP Statistics plugin completely
  • Implement strict input validation and parameterized queries at application level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Statistics version. If version is 13.1.4 or lower and 'Record Exclusions' is enabled, site is vulnerable.

Check Version:

wp plugin list --name=wp-statistics --field=version

Verify Fix Applied:

Verify WP Statistics plugin version is 13.1.5 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests with SQL-like patterns in exclusion_reason parameter
  • Failed authentication attempts following SQL injection patterns

Network Indicators:

  • HTTP POST requests to wp-statistics endpoints with SQL payloads in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (exclusion_reason CONTAINS "UNION" OR exclusion_reason CONTAINS "SELECT" OR exclusion_reason CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2022-0513
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 16, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0513, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)