Login Sign Up

CVE-2022-25148

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in the WP Statistics WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can extract sensitive information from the database, including user credentials and other confidential data. All WordPress sites running vulnerable versions of WP Statistics are affected.

💻 Affected Systems

Products:
  • WordPress WP Statistics Plugin
Versions: All versions up to and including 13.1.5
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default plugin configuration, no special configuration required for exploitation.

📦 What is this software?

Wp Statistics by Veronalabs

View all CVEs affecting Wp Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.

🟠

Likely Case

Extraction of sensitive user data, admin credentials, and plugin configuration information from the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available, requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.1.6 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2679983%40wp-statistics&new=2679983%40wp-statistics&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Statistics and click 'Update Now'. 4. Verify version is 13.1.6 or higher.

🔧 Temporary Workarounds

Disable WP Statistics Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate wp-statistics

Web Application Firewall Rule

all

Block requests containing SQL injection patterns targeting current_page_id parameter

🧯 If You Can't Patch

  • Implement strict input validation for current_page_id parameter
  • Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check WP Statistics plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin list --name=wp-statistics --field=version

Verify Fix Applied:

Confirm WP Statistics version is 13.1.6 or higher after update

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests with crafted current_page_id parameters
  • Error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests with SQL injection payloads in current_page_id parameter
  • Unusual traffic patterns to wp-statistics endpoints

SIEM Query:

source="web_logs" AND (uri_path="*wp-statistics*" AND query_string="*current_page_id*" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*FROM*"))

📊 Metadata

CVE ID: CVE-2022-25148
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25148, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)