CVE-2022-33965 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2022-33965?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Visitor Statistics' or 'WP Stats Manager'. 4. Click 'Update Now' if available. 5. If no update appears, deactivate and delete the plugin, then install the latest version from WordPress repository.

Q: What is the severity of CVE-2022-33965?

CVE-2022-33965 has a CVSS score of 9.3 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites running the WP Visitor Statistics plugin version 5.7 or earlier. Attackers can potentially access, modify, or delete database content, affecting all WordPress installations using the vulnerable plugin.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites running the WP Visitor Statistics plugin version 5.7 or earlier. Attackers can potentially access, modify, or delete database content, affecting all WordPress installations using the vulnerable plugin.

💻 Affected Systems

Products:

Osamaesh WP Visitor Statistics (also called WP Stats Manager)

Versions: <= 5.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Visitor Statistics by Codepress

View all CVEs affecting Visitor Statistics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, site defacement, or full administrative access takeover.

🟠

Likely Case

Data exfiltration, privilege escalation, or injection of malicious content into the website.

🟢

If Mitigated

Limited impact if database permissions are restricted and web application firewalls block SQL injection patterns.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and affects internet-facing WordPress sites.

🏢 Internal Only: MEDIUM - Internal systems could still be vulnerable if accessed by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8 or later

Vendor Advisory: https://wordpress.org/plugins/wp-stats-manager/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Visitor Statistics' or 'WP Stats Manager'. 4. Click 'Update Now' if available. 5. If no update appears, deactivate and delete the plugin, then install the latest version from WordPress repository.

🔧 Temporary Workarounds

Immediate Plugin Deactivation

linux

Temporarily disable the vulnerable plugin to prevent exploitation.

wp plugin deactivate wp-stats-manager

Web Application Firewall Rules

all

Configure WAF to block SQL injection patterns targeting the plugin endpoints.

🧯 If You Can't Patch

Deactivate and remove the WP Visitor Statistics plugin immediately
Implement network-level restrictions to limit access to the WordPress installation

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'WP Visitor Statistics' or 'WP Stats Manager' version 5.7 or earlier.

Check Version:

wp plugin list --name='wp-stats-manager' --field=version

Verify Fix Applied:

Confirm plugin version is 5.8 or later in WordPress admin panel, or verify plugin is completely removed.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
HTTP requests to plugin-specific endpoints with SQL syntax in parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) to /wp-content/plugins/wp-stats-manager/ paths

SIEM Query:

web.url:*wp-stats-manager* AND (web.query:*SELECT* OR web.query:*UNION* OR web.query:*OR 1=1*)

📊 Metadata

CVE ID: CVE-2022-33965

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE: CWE-89

Published: July 25, 2022

Last Updated: March 6, 2026

🔗 References

https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-plugin-5-7-multiple-unauthenticated-sql-injection-sqli-vulnerabilities Patch,Third Party Advisory
https://wordpress.org/plugins/wp-stats-manager/#developers Release Notes,Third Party Advisory
https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-plugin-5-7-multiple-unauthenticated-sql-injection-sqli-vulnerabilities Patch,Third Party Advisory
https://wordpress.org/plugins/wp-stats-manager/#developers Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-33965, you might also want to check these: