CVE-2022-0651 – This vulnerability allows unauthenticated attac... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites running the WP Statistics plugin. Attackers can extract sensitive database information including user credentials, personal data, and site configuration. All WordPress installations with WP Statistics plugin versions up to 13.1.5 are affected.

💻 Affected Systems

Products:

WP Statistics WordPress Plugin

Versions: All versions up to and including 13.1.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Wp Statistics by Veronalabs

View all CVEs affecting Wp Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.

🟠

Likely Case

Extraction of sensitive user data, admin credentials, and plugin configuration information.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and WAF blocks injection attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists and exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.1.6 and later

Vendor Advisory: https://wordpress.org/plugins/wp-statistics/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Statistics and click 'Update Now'
4. Verify version is 13.1.6 or higher

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable WP Statistics plugin until patched

wp plugin deactivate wp-statistics

WAF Rule Implementation

all

Block SQL injection attempts targeting current_page_type parameter

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection protection
Restrict database user permissions to SELECT only where possible

🔍 How to Verify

Check if Vulnerable:

Check WP Statistics plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wp-statistics --field=version

Verify Fix Applied:

Confirm WP Statistics version is 13.1.6 or higher in plugin details

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple requests with current_page_type parameter containing SQL syntax

Network Indicators:

HTTP POST/GET requests to wp-statistics endpoints with SQL injection payloads

SIEM Query:

web.url:*wp-statistics* AND (web.param:*current_page_type* AND (web.param:*UNION* OR web.param:*SELECT* OR web.param:*--*))

📊 Metadata

CVE ID: CVE-2022-0651

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 24, 2022

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail= Patch,Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651 Third Party Advisory
https://gist.github.com/Xib3rR4dAr/5dbd58b7f57a5037fe461fba8e696042 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail= Patch,Third Party Advisory
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0651 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0651, you might also want to check these: